.: Tonerok :.
Released 17 years, 9 months ago. Jan 2004By ?
- From: ?
- Coded by: ?
- Version: Tonerok
- Released date: Jan 2004, 17 years, 9 months ago.
- Coded in: VBSscript, compressed with UPX
- Family: Tonerok
- Category: Remote Access
Server: dropped file: c:\%WinDir%\svchost.exe size: 13.824 bytes port: 10002, 1154 TCP startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Online Service" registry added: HKEY_LOCAL_MACHINE\Software\Microsoft\Mserv "IDwin" dropped files: c:\WINDOWS\mserv.exe (Trojan.Win32.Killav.br) c:\WINDOWS\msto32.dll (Backdoor.Tonerok) c:\WINDOWS\sysini.ini (contents: "***Computer was successfully infected***") c:\WINDOWS\SYSTEM\wingua.exe (Trojan.Win32.Killav.br) c:\WINDOWS\svchost.exe (Backdoor.Tonerok) Backdoor.Tonerok tries to download and execute several files (1.exe, 2.exe and 3.exe) from "--/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--" (Russia). It is capable of disabling some anti-virus programs. The content of the folders "c:\WINDOWS\Cookies\" and "c:\WINDOWS\Temporary Internet Files\" is deleted.
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at firstname.lastname@example.org, thank you in advance.