Name: Ashley 1.0.0b

 

Main:  Ashley.exe 12,827 bytes, editor.exe size 85,504 bytes

 

Keys: values added

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\Nfuyrl1.0.1\Nfuyrl_1.0.0o\nfuyrl.rkr"

                        Type: REG_BINARY

                        Data: 55, 00, 00, 00, 06, 00, 00, 00, E0, 0A, 03, E0, 89, B8, C0, 01

 

Version: 1.0.0b

 

Type: irc/email worm & downloader trojan

 

Port/s used:  12345

 

Files: c:\WINDOWS\All Users\Start Menu\Programs\StartUp\Explorer.exe Size: 12,827 bytes,  c:\WINDOWS\SYSTEM\ashley_secret_xxx_diary.exe Size: 12,827 bytes

 

Modifies: c:\WINDOWS\DISPLAY.TXT

               Old size: 24,607 bytes

               New size: 3 bytes      

 

Aliases:  none

 

Behaviour:  once executed, the server slows down your pc considerably and the effect is very noticeable, it is resource intensive. It also spreads itself using mIRC, outlook express and IRCn.

 

Removal:  Deleting: ashley_secret_xxx_diary.exe Size: 12,827 bytes will remove this trojan, but because windows is using this file it may not let you, the simplest way to do it would be to use a program that allows you to kill processes and then delete it. There is a way to do it by booting up in dos mode. Most people are not familiar with dos and windows ME doesn’t allow you to boot up into dos mode so I have listed the easiest and most convenient way.

 

 

Special: this trojan has some disturbing capabilities; it attempts to send itself to others using programs that you may have on your pc e.g mIRC, outlook express and ircn. The main purpose of this trojan is to download a file from a server specified by the hacker when he configured the server and to run the file. The danger in this is that the hacker can use this trojan to infect the victim with a more powerful trojan and the victim will be helping him get more victims by unknowingly spreading the trojan through mIRC etc.

 

Author: nexzus

 

Notes: for the server to actually work on the infected machine it needs to have Visual Basic runtime files. The trojan uses various source codes of other trojans including senna spy and may be picked up by certain virus scanners as senna spy worm.