.: CiGiCiGi ViP 2.0 [platinium] Backdoored :.
Released 16 years, 10 months ago. Aug 2005
By F”NG”§ KĄD[x]::actions
Additional Details
- From: Turkey
- Coded by: F”NG”§ KĄD[x]
- Version: CiGiCiGi ViP 2.0 [platinium] Backdoored
- Released date: Aug 2005, 16 years, 10 months ago.
- Coded in: Delphi
- Family: CiGiCiGi
- Category: Information Stealer
MegaSecurity Notes
Client Dropped Files: c:\Documents and Settings\%user%\Local Settings\Temp\Cigicigi Vip.exe Size: 1,988,608 bytes c:\Documents and Settings\%user%\Local Settings\Temp\Ekran.bmp Size: 3,131,658 bytes c:\Documents and Settings\%user%\Local Settings\Temp\Keylogger-MEGASECURITY.txt Size: 2 bytes c:\Documents and Settings\%user%\Local Settings\Temp\mail.exe Size: 46,080 bytes c:\Documents and Settings\%user%\Local Settings\Temp\mail.txt Size: 0 bytes c:\Documents and Settings\%user%\Local Settings\Temp\msn.exe Size: 44,544 bytes c:\Documents and Settings\%user%\Local Settings\Temp\msn.txt Size: 0 bytes c:\Documents and Settings\%user%\Local Settings\Temp\Perflib_Perfdata_8b8.dat Size: 16,384 bytes c:\Documents and Settings\%user%\Local Settings\Temp\pspv.exe Size: 52,736 bytes c:\Documents and Settings\%user%\Local Settings\Temp\pspv.txt Size: 256 bytes c:\Documents and Settings\%user%\Local Settings\Temp\server.exe Size: 664,055 bytes c:\WINDOWS\system32\1298.ftp Size: 15 bytes c:\WINDOWS\system32\1298.pass Size: 6 bytes c:\WINDOWS\system32\1298.usr Size: 10 bytes c:\WINDOWS\system32\blckx.exe Size: 618,496 bytes c:\WINDOWS\system32\ip.php Size: 40 bytes c:\WINDOWS\system32\drivers\ctfmon.exe Size: 212,992 bytes c:\WINDOWS\system32\drivers\PicFormat32.dll Size: 121,564 bytes c:\WINDOWS\system32\drivers\PicFormat32.ocx Size: 36,864 bytes c:\WINDOWS\system32\drivers\rundll32.exe Size: 200,704 bytes c:\WINDOWS\system32\drivers\svchost.exe Size: 176,128 bytes Added to Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "msconfig" Data: C:\WINDOWS\system32\blckx.exe Tested on Windows XP March 03, 2009
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.