F1
08-21-2006, 03:55 AM
Troj/Cosiam-K includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/Cosiam-K copies itself to <System>\stonedrv.exe and creates
the following files:
<System>\TheMatrixHasYou.exe
<System>\inistone.ini
The file TheMatrixHasYou.exe is detected as Troj/Daemoni-AK.
The following registry entries are created to run stonedrv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
stonedrv
<System>\stonedrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
stonedrv
<System>\stonedrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
stonedrv
<System>\stonedrv.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\
Sophos Security (http://www.sophos.com/security/analyses/trojcosiamk.html)
with a remote server via HTTP.
When first run Troj/Cosiam-K copies itself to <System>\stonedrv.exe and creates
the following files:
<System>\TheMatrixHasYou.exe
<System>\inistone.ini
The file TheMatrixHasYou.exe is detected as Troj/Daemoni-AK.
The following registry entries are created to run stonedrv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
stonedrv
<System>\stonedrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
stonedrv
<System>\stonedrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
stonedrv
<System>\stonedrv.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\
Sophos Security (http://www.sophos.com/security/analyses/trojcosiamk.html)