Trojan-Clicker.Win32.NetBuie.b
| Alert Level : | Medium |
| Discovered: | Jun 16 2002 |
| Tag: | Trojan Clickers |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
NetBuie is a trojan horse that carries out periodic "clicks" or "hits" on banners held by the person or persons who created this virus; the purpose rating (value). The virus is a self-extracting ZIP-archive containing two EXE-files. Both files are written in Visual Basic 6.0 and is being distributed under the appearance of an XBox emulator.
Upon launching this variant of the NetBuie Trojan it unpacks the EXE-files into the Windows system directory under the names %WinDir%\System\DConfig.exe and %WinDir%\System\StealthXP.exe.
Next it creates new key in the registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "NetBUIE"="" "StealthXP"="C:\\WINDOWS\\SYSTEM\\StealthXP.exe"
Once this is done Netbuie executes the file DConfig.exe and them displays the following false message:
NetBuie then starts the StealthXP.exe program that periodically and clandestinely starts the web-browser and directs it to one of three web addresses:
- http://hg1.hitbox.com/HG?hc=w114&cd=1&hb=WQ500421D7CZ38EN0&n=Stealth4
- http://fastcounter.bcentral.com/fastcounter?1817391 3634789
- http://www.scorpionsearch.com/admin.html
0
Removal Trojan-Clicker.Win32.NetBuie.b instructions:
0
Need help? Live computer support via remote at SupportSpace |
