Summary
D:\INSTALL.LOG に以下の内容が書き込まれていた.*** Installation Started 10/22/04 7:12 ***
Title: FlashTalk 1.2 Installation
Source: C:\WINNT\FT1_02_0_402_GEPFAH.EXE
Installation Aborted!
妖しげなファイルとそのファイルパス
C:\WINNT 内FT1_02_0_402_GEPFAH.EXE | C:\WINNT |
localNRD.dll | C:\WINNT |
preInsln.exe | C:\WINNT |
localNrd.inf | C:\WINNT\inf |
payload2.inf | C:\WINNT\inf |
banner.exe | %USERPROFILE%\Local Settings\Temp |
dummy.htm | %USERPROFILE%\Local Settings\Temp |
localNrd.cab | %USERPROFILE%\Local Settings\Temp\THI52D5.tmp |
localNRD.dll | %USERPROFILE%\Local Settings\Temp\THI52D5.tmp |
localNrd.inf | %USERPROFILE%\Local Settings\Temp\THI52D5.tmp |
polall1.exe | %USERPROFILE%\Local Settings\Temp\THI52D5.tmp |
preInsln.exe | %USERPROFILE%\Local Settings\Temp\THI52D5.tmp |
payload2.cab | %USERPROFILE%\Local Settings\Temp\THIEBF.tmp |
FT1_02_0_402_GEPFAH.EXE | %USERPROFILE%\Local Settings\Temp\THIEBF.tmp |
payload2.inf | %USERPROFILE%\Local Settings\Temp\THIEBF.tmp |
payload2.cab の内容
FT1_02_0_402_GEPFAH.EXEpayload2.inf
localNrd.cab の内容
localNRD.dlllocalNrd.inf
polall1l.exe
preInsln.exe
localNrd.inf
[version]
signature="$CHICAGO$"
AdvancedINF=2.0
[DefaultInstall]
CopyFiles=CopySystemFiles,INFFile,poller
RegisterOCXs=RegisterOCXSection
RunPostSetupCommands=RunPostInstall,RunPol
[CopySystemFiles]
localNRD.dll,,,34
preInsln.exe,,,34
[INFFile]
localNrd.inf,,,34
[poller]
polall1l.exe,,,34
[DestinationDirs]
CopySystemFiles=10
INFFile=17
poller=11
[RegisterOCXSection]
"%10%\localNRD.dll"
[SourceDisksNames]
1="CAB File",,,
[RunPostInstall]
"%10%\preInsln.exe"
[Runpol]
"%11%\polall1l.exe /regserver"
payload2.inf
[version]
signature="$CHICAGO$"
AdvancedINF=2.0
[DefaultInstall]
CopyFiles=CopySystemFiles,INFFile
RunPostSetupCommands=RunPostInstall
[CopySystemFiles]
FT1_02_0_402_GEPFAH.EXE,,,34
[INFFile]
payload2.inf,,,34
[DestinationDirs]
CopySystemFiles=10
INFFile=17
[RunPostInstall]
"%10%\FT1_02_0_402_GEPFAH.EXE"
[SourceDisksNames]
1="CAB File",,,
AVG での検出結果
File version 7.1.0.287 , Virus base 265.4.1 でチェック
polall1a.exe のみ Trojan horse Downloader.Agent.AS として検知
Reference
giant Labs - Spyware Research Center - FlashTalkhttp://www.spynet.com/spyware/spyware-FlashTalk.aspx