memo.xight.org

FlashTalk, Trojan horse Downloader.Agent.AS

FlashTalk, Trojan horse Downloader.Agent.AS

- Summary
  D:\INSTALL.LOG に以下の内容が書き込まれていた.

***  Installation Started 10/22/04 7:12  ***
Title: FlashTalk 1.2 Installation
Source: C:\WINNT\FT1_02_0_402_GEPFAH.EXE
Installation Aborted!


- 妖しげなファイルとそのファイルパス
  C:\WINNT 内

FT1_02_0_402_GEPFAH.EXE C:\WINNT
localNRD.dll C:\WINNT
preInsln.exe C:\WINNT
localNrd.inf C:\WINNT\inf
payload2.inf C:\WINNT\inf
%USERPROFILE% 内
banner.exe %USERPROFILE%\Local Settings\Temp
dummy.htm %USERPROFILE%\Local Settings\Temp
localNrd.cab %USERPROFILE%\Local Settings\Temp\THI52D5.tmp
localNRD.dll %USERPROFILE%\Local Settings\Temp\THI52D5.tmp
localNrd.inf %USERPROFILE%\Local Settings\Temp\THI52D5.tmp
polall1.exe %USERPROFILE%\Local Settings\Temp\THI52D5.tmp
preInsln.exe %USERPROFILE%\Local Settings\Temp\THI52D5.tmp
payload2.cab %USERPROFILE%\Local Settings\Temp\THIEBF.tmp
FT1_02_0_402_GEPFAH.EXE %USERPROFILE%\Local Settings\Temp\THIEBF.tmp
payload2.inf %USERPROFILE%\Local Settings\Temp\THIEBF.tmp

- payload2.cab の内容
    FT1_02_0_402_GEPFAH.EXE
    payload2.inf
- localNrd.cab の内容
    localNRD.dll
    localNrd.inf
    polall1l.exe
    preInsln.exe

- localNrd.inf

[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[DefaultInstall]
CopyFiles=CopySystemFiles,INFFile,poller
RegisterOCXs=RegisterOCXSection
RunPostSetupCommands=RunPostInstall,RunPol

[CopySystemFiles]
localNRD.dll,,,34
preInsln.exe,,,34

[INFFile]
localNrd.inf,,,34

[poller]
polall1l.exe,,,34

[DestinationDirs]
CopySystemFiles=10
INFFile=17
poller=11

[RegisterOCXSection]
"%10%\localNRD.dll"

[SourceDisksNames]
1="CAB File",,,

[RunPostInstall]
"%10%\preInsln.exe"

[Runpol]
"%11%\polall1l.exe /regserver"



- payload2.inf

[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[DefaultInstall]
CopyFiles=CopySystemFiles,INFFile
RunPostSetupCommands=RunPostInstall

[CopySystemFiles]
FT1_02_0_402_GEPFAH.EXE,,,34

[INFFile]
payload2.inf,,,34

[DestinationDirs]
CopySystemFiles=10
INFFile=17

[RunPostInstall]
"%10%\FT1_02_0_402_GEPFAH.EXE"

[SourceDisksNames]
1="CAB File",,,



- AVG での検出結果
  AVG - Trojan horse Downloader.Agent.AS
  File version 7.1.0.287 , Virus base 265.4.1 でチェック
  polall1a.exe のみ Trojan horse Downloader.Agent.AS として検知

- Reference
  giant Labs - Spyware Research Center - FlashTalk
  http://www.spynet.com/spyware/spyware-FlashTalk.aspx