TROJ_NEGASMS.A

Malware type: Trojan

Aliases: Trojan.Win32.Negasm (Kaspersky), QDel229 (McAfee), Hacktool (Symantec), TR/Negasm (Avira), Troj/NegaSms-A (Sophos), Trojan:Win32/Negamsa (Microsoft)

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This destructive Trojan, written in Visual Basic, deletes all files and directories in the infected system's drive D:\.

For additional information about this threat, see:

Description created: Mar. 8, 2002 2:55:06 PM GMT -0800
Description updated: Mar. 10, 2002 11:57:23 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 24,576 Bytes

Initial samples received on: Mar 8, 2002

Payload 1: Deletes Files and directories on the drive D:\

Trigger condition 1: Upon Execution

Details:
This Trojan has two components, a modifier and a payloader.

The modifier sets up the target system so that it executes upon system bootup. It modifies the registry as follows:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
"My Agent"="C:\\msagent.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"My App"="C:\\SMSSvc.exe"

The modifier can create an account on a domain server to access a network. Upon next bootup, the payloader executes with the modifier. This Trojan searches for and then deletes the files and directories countained in a drive D:\ (whether local or mapped).