|
|
A French Trojan Horse and virus - Means "Trojan Sockets" in French.
- Typically uses the ports 5000, 5001, 30303, and 50505.
- Was created with Delphi 3.
- Several variants known.
- Includes remote administration tool like Back Orifice and NetBus, so it has a server (spread with virus) and client portion.
- Pretends to be a setup program lacking setup32.dll.
- Copies file to system directory called mschv32.exe, which runs during startup HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad MSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe
- To detect if you are infect, HKEY_CLASSES_ROOT\DirectSockets DirectSocketsCtrl = $A4 D5 #FFF
- Executing creates an error message about a missing SETUP32.DLL or ISAPI32.DLL.
|
