.: CiGiCiGi ViP 2.0 [platinium] Backdoored :.

Additional Details

• From: Turkey
• Coded by: F”NG”§ KĄD[x]
• Version: CiGiCiGi ViP 2.0 [platinium] Backdoored
• Released date: Aug 2005, 16 years, 5 months ago.
• Coded in: Delphi
• Family: CiGiCiGi
• Category: Information Stealer

MegaSecurity Notes

Client
Dropped Files:
c:\Documents and Settings\%user%\Local Settings\Temp\Cigicigi Vip.exe 
Size: 1,988,608 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\Ekran.bmp 
Size: 3,131,658 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\Keylogger-MEGASECURITY.txt 
Size: 2 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\mail.exe 
Size: 46,080 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\mail.txt 
Size: 0 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\msn.exe 
Size: 44,544 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\msn.txt 
Size: 0 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\Perflib_Perfdata_8b8.dat 
Size: 16,384 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\pspv.exe 
Size: 52,736 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\pspv.txt 
Size: 256 bytes 

c:\Documents and Settings\%user%\Local Settings\Temp\server.exe 
Size: 664,055 bytes 

c:\WINDOWS\system32\1298.ftp 
Size: 15 bytes 

c:\WINDOWS\system32\1298.pass 
Size: 6 bytes 

c:\WINDOWS\system32\1298.usr 
Size: 10 bytes 

c:\WINDOWS\system32\blckx.exe 
Size: 618,496 bytes 

c:\WINDOWS\system32\ip.php 
Size: 40 bytes 

c:\WINDOWS\system32\drivers\ctfmon.exe 
Size: 212,992 bytes 

c:\WINDOWS\system32\drivers\PicFormat32.dll 
Size: 121,564 bytes 

c:\WINDOWS\system32\drivers\PicFormat32.ocx 
Size: 36,864 bytes 

c:\WINDOWS\system32\drivers\rundll32.exe 
Size: 200,704 bytes 

c:\WINDOWS\system32\drivers\svchost.exe 
Size: 176,128 bytes 



Added to Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "msconfig" 
Data: C:\WINDOWS\system32\blckx.exe 


Tested on Windows XP
March 03, 2009