A PGP sda that binded trojan
This morning I received a mail from a friend and it appeared to be attached a pgp self-decrypt archive which was binded with a trojan(uploaded sample).
After running the sda,it would extract two files in c:\documents and settings\administrator\local settins\temp,one is 1.doc.pgp.exe and the other is server.exe(trojan, will self-deleted)
This trojan uses activex startup mode,injected into iexplore.exe and has rootkit feature to hide its files(ati.sys and dlivere.exe in system32 dir),but it's strange that not hide the network connections:)
Used analysis tool: Procmon/finalrecovery/installrite/ethereal
/*feel free to contact me: j0ker_at_2911.net :)*/