|
Description:
This Trojan is a downloader program. Its task to be install itself on a system.
Its installation starts by getting the path of the Start Menu Programs folder. It then creates a new folder named Xtray in the Start Menu programs.
In this folder, it creates the batch file Uninstall Xtray.bat.
The contents of this batch file run the file UninstallXtray.exe.
It also creates the script file Xtrayinst.ftp in the Windows Temp folder. This contains FTP command lines.
This Trojan then runs the following program using the said script file.
%Windows%system32\ftp.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Running this program results in the download of files from the FTP server srvtray.com, which are saved as the following files:
- C:\Program Files\Xtray\UninstallXtray.exe
- C:\Program Files\Xtray\Xtray.bup
- C:\Program Files\Xtray\Xtray.cfg
- C:\Program Files\Xtray\Xtray_link.exe
This Trojan logs on to the FTP server using an anonymous account.
Once the download is complete, it creates an autorun registry entry. It then silently opens the following Web site:
http://sr<BLOCKEd>ay.com/new_install.asp?time=<current system time>
It notifies the said Web site that another copy of this Trojan has been installed in a system. The website returns the word "Done".
This Trojan runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Sep. 10, 2004 4:38:17 AM GMT -0800
Description updated: Dec. 13, 2004 1:15:08 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
