Heres the goods.
*Edit by a1blaster, Link removed, see post below*
*Edit by a1blaster, Link removed, see post below*
Here's a Spanish translation of what MemScanBackdoor.VB.EV is>>>Quote:
Antivirus;Version;Last Update;Result
AhnLab-V3;2007.9.22.0;2007.09.24;-
AntiVir;7.6.0.15;2007.09.26;HEUR/Crypted
Authentium;4.93.8;2007.09.26;-
Avast;4.7.1043.0;2007.09.26;-
AVG;7.5.0.488;2007.09.26;-
BitDefender;7.2;2007.09.26;-
CAT-QuickHeal;9.00;2007.09.26;-
ClamAV;0.91.2;2007.09.26;-
DrWeb;4.33;2007.09.26;-
eSafe;7.0.15.0;2007.09.23;-
eTrust-Vet;31.2.5167;2007.09.26;-
Ewido;4.0;2007.09.25;-
FileAdvisor;1;2007.09.26;-
Fortinet;3.11.0.0;2007.09.26;-
F-Prot;4.3.2.48;2007.09.26;-
F-Secure;6.70.13030.0;2007.09.26;-
Ikarus;T3.1.1.12;2007.09.26;MemScanBackdoor.VB.EV
Kaspersky;4.0.2.24;2007.09.26;-
McAfee;5128;2007.09.26;-
Microsoft;1.2803;2007.09.26;-
NOD32v2;2552;2007.09.26;-
Norman;5.80.02;2007.09.26;-
Panda;9.0.0.4;2007.09.26;-
Prevx1;V2;2007.09.26;Heuristic: Suspicious Self Modifying EXE
Rising;19.42.22.00;2007.09.26;-
Sophos;4.21.0;2007.09.26;-
Sunbelt;2.2.907.0;2007.09.26;VIPRE.Suspicious
Symantec;10;2007.09.26;-
TheHacker;6.2.6.071;2007.09.26;-
VBA32;3.12.2.4;2007.09.26;-
VirusBuster;4.3.26:9;2007.09.26;-
Webwasher-Gateway;6.0.1;2007.09.26;Heuristic.Crypted
Additional information
File size: 1548288 bytes
MD5: b16c0ed9d6496dfe7893b8dc6a20a3f5
SHA1: 90f586202746538d1db8ab3ce44cbeb1aafe8e6d
packers: Themida
Prevx info: [Only registered and activated users can see links. Click Here To Register...]
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Now I also find it funny that the person (alaa_a, 0 posts) giving the thanks is a new member, singed up the same day as drbetamax. Also the only other post made by (drbetamax, 2 posts) had the same scan as this one did. That thread was closed too. Now if you looked at his profile you would find that there was posted another program in his siggy that comes up even dirtier then the two programs in two threads.Quote:
> INFORMATION
This one troyano does not propagate by itself. It can arrive at the computer via manual copy in the system, or at the unloaded being intentionally or by means of deceits of some malicious site, or networks of interchange of archives P2P, disguised generally like an application.
> CHARACTERISTIC
A malintencionado user, also could massively send the troyano to his victim in an individual electronic message or by means of Spam to other users.
When executing itself he opens a back door that allows a remote user to take the total control from the infected equipment.
He uses ports TCP/1040, 1041 and 1043 by defect, but he can form itself to use others.
He can create several archives in the folder of the system of Windows, some with attributes of single reading (+R), system (+S) and hidden (+H). Some examples:
c:windowssystem32Explorer.exe
c:windowssystem32ravmond.exe
c:windowssystem32Svch0st.exe
c:windowssystem32Winlogon.exe
It creates some of the following entrances in the registry to autoejecutar itself in each resumption of Windows:
HKCU Software Microsoft Windows CurrentVersion Run
[name] = [name and way of feasible]
HKCU Software Microsoft Windows NT CurrentVersion Windows
run = [name and way of feasible]
HKLM SOFTWARE Microsoft Windows CurrentVersion Run
[name] = [name and way of feasible]
HKLM SOFTWARE Microsoft Windows CurrentVersion RunServices
[name] = [name and way of feasible]
Where [name] can be a value of the following ones (among others):
ravmond
svchost
system
winlogon
[name of feasible]
The troyano allows the following actions, among others:
To accede to the archives of the infected equipment.
It activates and it deactivates the equipment, it suspends it or it extinguishes.
Flock archives and formatea the hard disk.
Capture information of the configuration of the servant and the workstations.
Capture keys digitadas by the user.
To also capture screens and video (if webcam exists one).
Control of Remote Access of the archives and programs of the attacked systems.
It controls peripheral like mouse, CD/DVD drivers, monitor, etc.
To quiet unload, to install and to execute other programs.
It sends mail messages from the equipment infected through bookstores MAPI.
To listen by the microphone of the system.
To modify the configurations by defect of the Internet Explorer.
It can send commandos through Chat.
It robs keys of access and numbers of credit cards.
> INSTRUCTIONS TO ELIMINATE IT
1. Deactivate the automatic restoration in Windows XP/ME.
2. Reinitiate on approval in Way of failures.
3. Execute an updated antivirus and you take note from the archives infected before eliminating them.
4. Eliminate under the column “Name”, (s) the entrance (s) which they make reference to of the names written down in step 3, in the following keys of the registry:
HKCU Software Microsoft
Windows CurrentVersion
Run