Name: Atomic2.11

 

Main: atomic.exe size 36.0 KB (36,864 bytes)

 

Keys:  values added: 2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\Ngbzvp2.11\Eryrnfr\ngbzvp2.rkr"

                        Type: REG_BINARY

                        Data: 58, 00, 00, 00, 06, 00, 00, 00, 60, 5E, E4, DF, 41, BA, C0, 01

           

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "DialUpSecurity"

                        Type: REG_SZ

                        Data: C:\WINDOWS\SYSTEM\dialupsc.exe

 

Version: 2.11

 

Type: Atomic2 is primarily a Dial Up password retriever, but it can be modified to do all sorts of things.

 

Port/s used: smtp (simple mail transfer protocol) 25

 

Files:   c:\WINDOWS\SYSTEM\dialupsc.exe Size: 36,864 bytes

            c:\WINDOWS\SYSTEM\rasxnft.dll Size: 448 bytes

 

Modifies: c:\_RESTORE\ARCHIVE\BKUPVXDLASTLOG.1 Size: 1,048,580 bytes

 

Aliases: none    

 

Behaviour: Once executed, the server waits for a Dial Up connection to be made and when the connection is alive it sends all the information via a SMTP server to one ore more email addresses. After that it saves all information that was sent to a file in the system directory ("rasxnfo.dll") and closes itself.

 

Removal: click Start, and go to Run. In the box, type regedit and click OK.

When regedit starts, you will see a file-like tree on the left hand panel. Open the folders to follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Look for a value named " DialUpSecurity " right click on it and choose delete.

Reboot, then find and delete the following files:  c:\WINDOWS\SYSTEM\dialupsc.exe Size: 36,864 bytes and c:\WINDOWS\SYSTEM\rasxnft.dll Size: 448 bytes

 

Special: This is an open source trojan released under the GNU license; because of this it is actually very very configurable. The average trojan hacker may not be able to code but a programmer could easily make this into a very dangerous trojan.

 

Author: Marius David

 

Notes: The main feature of this program is it’s size (36KB) and because of this it can be easily emailed or transferred to any computer. When restarting windows it will close automatically if the new information matches the information that was already sent. The data is encoded but can be decoded using decode.exe 32.0 KB (32,768 bytes) that comes with the trojan server file. You may be able to find out who the hacker is by using this file and looking for the email address the server has been configured to send too