Wednesday, April 22, 2009

conficker.e analysis (.exe component) - part 0.3 - service loader

After read tcpip.sys, conficker.e exe component generates a tmp file with random name in the following path: c:\windows\system32\.tmp, then through, the API used for interfacing with ServiceManager, conficker.e try to load the previous tmp file name as a service.


The service name is a random string. In this case:


No comments:

Post a Comment