Troj/Slacker-A Aliases: VirTool Win32.Slackworm, Win32/Slacke.worm Troj/Slacker-A is a complex Trojan that may be installed by Troj/Yabinder or any other generic Trojan dropper. Troj/Slacker-A may be delivered separately or packed within cnn3.exe which is a variant of Troj/Yabinder. When executed cnn3.exe creates a new folder in the root folder with the name SP and extracts the following files to the new folder, setting their attributes to hidden: abc.bat main.exe psexec.exe slacke-worm.exe Cnn3.exe then spawns slacke-worm.exe. Slacke-worm.exe runs in the background as a "netbios auto-router by eRiC" VB application and searches for available IP addresses with no password or a weak password (on port 445). Slacke-worm.exe then calls abc.bat, with the relevant computer name, which tries a list of passwords for the administrative accounts and then uses psexec.exe to copy over and run main.exe on the remote computer. Main.exe is detected as Troj/SDBot-S. Psexec.exe is a legitimate "Sysinternals PsExec" application. http://www.sophos.com/virusinfo/analyses/trojslackera.html