- From: "Ant" <not@xxxxxxxxxx>
- Date: Mon, 6 Nov 2006 16:51:09 -0000
"David H. Lipman" wrote:
From: "Ant" <not@xxxxxxxxxx>
| The file may end up as Uninstall.exe, Uninstall0.exe, NTDETECT.EXE or
| [6 random digits].exe, and is downloaded from here:
Yes, and it places a copy of the EXE in;
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uninstall.exe
It will try to create the other names elsewhere if the above fails:
Random numeric exe in c:\recycler, or user's temp directory.
Random numeric exe prefixed with "sys" in root of current drive.
ntdetect.exe in c:\ (the genuine MS ntdetect has a .com extenstion).
Did you use a test machine or were you able to deobfuscate the
multiply encoded, will come out as garbage if you're unaware of the
little trick the author used.
- From: David H. Lipman