PERL_DAVKIT.A

It may also overwrite the following files if they exist:

• C:\mIRC\script.ini
• %Program Files%\mIRC\script.ini

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It restarts the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Windows%\csscheat.bat
• %Program Files%\sharex\xxx\xxxlist.bat
• %Program Files%\sharex\crackz\css_xwallhack.bat

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %Program Files% is the default Program Files folder, usually C:\Program Files.)

It creates the following folders:

• %Program Files%\sharex\xxx
• %Program Files%\sharex\crackz

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
vwin = %Windows%\%v%.bat

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
vwin = %Windows%\%v%.bat

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\win.bat
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup\win.bat

Other System Modifications

This Trojan adds the following line(s)/entry(ies) in the WIN.INI file:

• [windows]
• run=%windir%\%v%.bat
• load=%windir%\%v%.bat

File Infection

This Trojan overwrites files with the following extensions:

• .bat
• .txt
• .doc
• .exe
• .ini
• .cfg

Process Termination

This Trojan terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• norton
• av
• fire
• anti
• spy
• bullguard
• PersFw
• KAV
• ZONEALARM
• SAFEWEB
• OUTPOST
• nv
• nav
• F-
• ESAFE
• cle
• BLACKICE
• def

HOSTS File Modification

This Trojan adds the following strings to the Windows HOSTS file:

• 127.0.0.1 www.google.com
• 127.0.0.1 www.google.de
• 127.0.0.1 www.symantec.de
• 127.0.0.1 www.free-av.de
• 127.0.0.1 www.free-av.com
• 127.0.0.1 www.antivir.de
• 127.0.0.1 www.antivir.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 www.kaspersky.de
• 127.0.0.1 www.microsoft.com
• 127.0.0.1 www.microsoft.de
• 127.0.0.1 www.sophos.com
• 127.0.0.1 www.sophos.de
• 127.0.0.1 www.symantec.com
• 127.0.0.1 www.hijackthis.de
• 127.0.0.1 www.spychecker.com
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.trendmicro.de
• 127.0.0.1 www.lavasoftusa.com
• 127.0.0.1 www.yahoo.com
• 127.0.0.1 www.yahoo.de
• 127.0.0.1 www.lycos.com
• 127.0.0.1 www.lycos.de

Other Details

This Trojan restarts the affected system.

It does the following:

• It may also overwrite the following files if they exist:
  • C:\mIRC\script.ini
  • %Program Files%\mIRC\script.ini

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)