Infected myself via Virtual Machine (Windows XP SP2)
Infection Method - Direct (Visited the Offending URL)
• Tested in IE6 and
WAS infected.
• Tested in IE8 and was
NOT infected.
• Tested in Firefox 3.5.6 (no add-ons) and was
NOT infected.
[
Virus Scanner Information ]
Code:
http://www.virustotal.com/analisis/b6b03bccffe571af796e3a110c9ec0291d08ccee666597e3273d6033e583ac9c-1261435112
[
Virus Files and Names ]
• c:\windows\system32\<randomly-generated-name>.exe
- If you visited FFXIAH.COM during the infected period and are worried about whether or not you are infected, please go to Microsoft TechNet (Sysinternals) and download the Autoruns tool :
Code:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
- Extract the files to a directory and run 'autoruns.exe'.
NOTE : When you initially run the program, it will begin a scan. Tap the Escape button once and it will cancel the scan. Make sure that 'Verify Code Signatures' and 'Hide Signed Microsoft Entries' are selected in the 'Options' menu of the program, then execute another scan by clicking the Refresh icon.
- If you are infected, you will see the highlighted entry under the 'UserInit' section :
http://www.moofah.com/temp/media/ima...ffxiah-trj.jpg
- The filename the trojan uses is randomized, but is always placed in the 'C:\Windows\System32' file folder.