| Malware name | Script.IETitle.C | | Type | Script | | Affected platform | Win32 | | Media-Type | none | | MD5 checksum | 2BDB0A0DFC72D96C80CD4386C2EC415F | | Static file | no | | Filesize | 3,736 Bytes | Alias names (also known as) | | Sophos | VBS/Solow-A | | McAfee | VBS/IE-Title | | CA ETrust | VBS/Slogod.A |
| | Side effects | - Drops a malicious file
- Registry modification
| | Propagation | Mapped network drives |
|
Description:
Files
It copies itself to the following locations:
• %WINDIR%\MS32DLL.dll.vbs
•
%drive%\MS32DLL.dll.vbs
The following file is created:
–
%drive%\autorun.inf Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Script.IETitle.A
Registry
One of the following values is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "MS32DLL"="%WINDIR%\MS32DLL.dll.vbs"
The following registry key is changed:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
New value:
• "Window Title"="Hacked by Godzilla"
File details
Programming language:
The malware program was written in Visual Basic.