Subscribe0 0
This Trojan is a Win32 EXE file written in Delphi, about 20KB in size.
The Trojan doesn't install itself to the system and doesn't change its existing file name. The process in memory therefore has the same name as the Trojan's executable file.
It writes the URL http://teen-biz.com/ to the following registry keys:
[ HKCU\Software\Microsoft\Internet Explorer\Main\Start Page] [HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst] [HKCU\Software\Microsoft\Internet Explorer\Main\Search Page] [HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar] [HKCU\Software\Microsoft\Internet Explorer\SearchURL] [HKCU\Software\Microsoft\Internet Explorer\SearchURL\provide] [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant]
The Trojan creates the following links in the 'Favourites' folder:
Quality Galleries 50 000 freepics and movie.url http://www.terra.es/personal8/banners1/ WOW VIDEOS AND PICS -- REALLY HARDCORE VIDEOS.url http://www.terra.es/personal8/banners2 Series Hardcore Pic Sets and Movies.url http://fujit.drocherway.com/cgi-bin/r.cgi?from=2 Elite Teen Sites - Adult portal The Best TEEN SITES.url http://eliteteensites.com/ Elite Mature Sites - Adult portal The Best Mature Sites.url http://elitematuresites.com/ FULL COLLECTION DIRTY PORNO.url http://teen-biz.com/ Young Teen Fucking Great Lo Archives.url http://toteen.com/cgi-bin/tds/in.cgi?outgo
The Trojan will open the following page every hour and a half:
http://toteen.com/cgi-bin/tds/in.cgi?outgo
Hot Articles