Troj/Slacker-A

Discussion in 'malware problems & news' started by FanJ, Mar 4, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Troj/Slacker-A
    Aliases: VirTool Win32.Slackworm, Win32/Slacke.worm

    Troj/Slacker-A is a complex Trojan that may be installed by Troj/Yabinder or any other generic Trojan dropper.

    Troj/Slacker-A may be delivered separately or packed within cnn3.exe which
    is a variant of Troj/Yabinder.

    When executed cnn3.exe creates a new folder in the root folder with the name SP and extracts the following files to the new folder, setting their attributes to hidden:

    abc.bat
    main.exe
    psexec.exe
    slacke-worm.exe

    Cnn3.exe then spawns slacke-worm.exe. Slacke-worm.exe runs in the background as a "netbios auto-router by eRiC" VB application and searches for available IP addresses with no password or a weak password (on port 445).

    Slacke-worm.exe then calls abc.bat, with the relevant computer name, which tries a list of passwords for the administrative accounts and then uses psexec.exe to copy over and run main.exe on the remote computer.

    Main.exe is detected as Troj/SDBot-S. Psexec.exe is a legitimate "Sysinternals PsExec" application.

    http://www.sophos.com/virusinfo/analyses/trojslackera.html
     
    FanJ, Mar 4, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...