Boolwark is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user's computer in malicious way. Trojans do not replicate or spread to other computers. Boolwark is compressed using the executable packer and its file size is 259,072 bytes. Boolwark drops the following files on the hard drive: - C:\WINDOWS\TEMP\fa3f2c4e40a50930afcdca2338a3a7c9.bat (121 bytes)
- C:\WINDOWS\system32\fdfbefaddaca.dll (128000 bytes)
It also changes Windows registry: - Creates value "Blud"="GtKKoINUTvtoD92TssdNSRYU/2CEOhCQWiV3VuB18uB5lwvMLYIsX1GRgrKv3zar" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon".
- Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "DllName"="C:\WINDOWS\system32\fdfbefaddaca.dll" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Impersonate"="" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Asynchronous"="\x01" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "StartShell"="ss" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Logon"="l" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Logoff"="lf" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Startup"="sup" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Unlock"="u" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
- Sets value "Shutdown"="sd" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fdfbefaddaca".
It also contains anti-debugging code, is executed every time Windows starts, attempts to acquire the "SeDebugPrivilege" privileges,
|