Name: Ashley 1.0.1a

 

Main:  Ashley.exe size15.0 KB (15,387 bytes)

 

Keys: values added HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\hamvccrq\Nfuyrl1.0.1\Nfuyrl_1.0.1n\nfuyrl.rkr"

                        Type: REG_BINARY

                        Data: 55, 00, 00, 00, 06, 00, 00, 00, 20, 43, 3F, 69, 97, B8, C0, 01

Values changed:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

                        Old type: REG_BINARY

                        New type: REG_BINARY

                        Old data: 55, 00, 00, 00, FC, 08, 00, 00, A0, D2, 8A, 3B, 97, B8, C0, 01

                        New data: 55, 00, 00, 00, FD, 08, 00, 00, 20, 43, 3F, 69, 97, B8, C0, 01

 

Version: 1.0.1a

 

Type: irc/email worm & downloader trojan

 

Port/s used:  12345

 

Files: c:\_RESTORE\TEMP\A0085995.CPY Size: 333 bytes

          c:\WINDOWS\SYSTEM\ashley_secret_xxx_diary.exe Size: 14,375 bytes

          c:\mirc\script1.ini size: 333 bytes

 

Modifies: c:\mirc\mirc.ini

                Old size: 3,156 bytes

                New size: 3,199 bytes

 

Aliases:  none

 

Behaviour:  once executed, the server slows down your pc considerably and the effect is very noticeable, it is resource intensive, it actually froze the PC that this trojan was tested on. It also spreads itself using mIRC, outlook express and IRCn.

 

Removal:  Deleting: ashley_secret_xxx_diary.exe Size: 14,375 bytes will remove this trojan, but because windows is using this file it may not let you, the simplest way to do it would be to use a program that allows you to kill processes and then delete it. There is a way to do it by booting up in dos mode. Most people are not familiar with dos and windows ME doesn’t allow you to boot up into dos mode so I have listed the easiest and most convenient way.  You will also need to delete mirc.ini and script1.ini; this will wreck mIRC on your system so uninstalling mIRC then re installing it will fix it.

 

Special: this trojan has some disturbing capabilities; it attempts to send itself to others using programs that you may have on your pc e.g mIRC, outlook express and ircn. The main purpose of this trojan is to download a file from a server specified by the hacker when he configured the server and to run the file. The danger in this is that the hacker can use this trojan to infect the victim with a more powerful trojan and the victim will be helping him get more victims by unknowingly spreading the trojan through mIRC etc.

 

Author: nexzus

 

Notes: for the server to actually work on the infected machine it needs to have Visual Basic runtime files. The trojan uses various source codes of other trojans including senna spy and may be picked up by certain virus scanners as senna spy worm.