Name: Asssniffer1.0.1

 

Main: IPStealer.exe 120 KB (122,880 bytes)

 

Keys: Values added: 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\Nfffavssre1.0.1\VCFgrnyre.rkr"

                        Type: REG_BINARY

                        Data: AE, 00, 00, 00, 06, 00, 00, 00, C0, 7C, 50, 15, 30, FC, C0, 01

 

Values changed: 3

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU "MRUListEx"

                        Old type: REG_BINARY

                        New type: REG_BINARY

                        Old data: (data too large: 804 bytes)

                        New data: (data too large: 804 bytes)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\120 "ViewView2"

                        Old type: REG_BINARY

                        New type: REG_BINARY

                        Old data: 1C, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 30, 00, 03, 00, 00, 00, 01, 00, 00, 00, 00, 00, 00, 00, F0, F0, F0, F0, 14, 00, 03, 00, 30, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00

                        New data: 1C, 00, 00, 00, 01, 00, 00, 00, 00, 00, DE, 00, 00, 00, 30, 00, 00, 00, 00, 00, 01, 00, 00, 00, 03, 00, 00, 00, F0, F0, F0, F0, 14, 00, 03, 00, 30, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

                        Old type: REG_BINARY

                        New type: REG_BINARY

                        Old data: AE, 00, 00, 00, 1A, 1B, 00, 00, 00, 4E, 90, CE, 2F, FC, C0, 01

                        New data: AE, 00, 00, 00, 1B, 1B, 00, 00, C0, 7C, 50, 15, 30, FC, C0, 01

 

Version: 1.0.1

 

Type: ip sniffer

 

Port/s used:  80 TCP

 

Files: none

 

Modifies: none

 

Aliases: none

 

Behaviour: once executed the program listens on port 80 for incoming connections

 

Removal: delete IPStealer.exe, and settings.dll, both these files will be in the same directory, but the directory could be located anywhere on the computer.

 

Special: Sniffs IP's over any messaging service:

 

AIM (AOL Instant Messenger)

ICQ

Yahoo! Messenger

MSN Messenger

IRC

 

Author: mf4

 

Notes: This is not a trojan as such, it is sort of a trojan client ip sniffer thing, it opens a port on the users computer then creates a hyperlink to be given to a victim, when the victim connects it scans there computer for trojans and tells the user if they are infected and then can even be used to connect to the victim.