Naebi

Name: Naebi
Aliases: Haebu Coceda, Orifice, DUNpws.p, Red Power, Trojan.PSW.Spion.a, PWS.gen, PWSteal.Coced.Trojan, TROJ/Coced.239,
Ports: 25
Files: Naebi.exe - 9,728 bytes Naebi212.exe - 9,728 bytes Naebi214.exe - 10,240 bytes Naebi215.exe - 10,240 bytes Naebi216.exe - 10,240 bytes Naebi217.exe - 10,240 bytes Naebi218.exe - 10,752 bytes Naebi219.exe - 11,264 bytes Naebi220.exe - 12,288 bytes Ns220.exe - Ns221pro.exe - 11,776 bytes Ns226a.exe - 12,288 bytes Ns227.exe - Ns231.exe - Ns234.exe - Ns237dir.exe - Ns237icq.exe - Ns237set.exe - Ns237zip.exe - Ns237wrd.exe - Ns238g.exe - Ns238h.exe - Ns238o.exe - Ns240.rar - 12,423 bytes Ns241.exe - 13,824 bytes Conf.exe - 6,656 bytes Confgui.exe - 18,432 bytes Confgui.exe - 24,064 bytes Config.exe - 11,776 bytes Config.exe - 12,800 bytes Config.exe - 13,824 bytes Config22.exe - 16,896 bytes Con216.exe - 13,824 bytes Con219.exe - 15,360 bytes Conf226.exe - 17,920 bytes Conf221p.exe - 15,360 bytes Config.ini - 4,730 bytes Pic1.jpg.exe - Msdll32.exe - Msramgr.exe - Msrnareg.exe Winrun.exe - Winrun32.exe - 26705-i386-update.exe - 14,104 bytes
Created: Feb 1997
Requires:
Actions: Steals passwords / ICQ trojan
Alters System.ini. It also alters Win.ini from v2.34. Naebi sendsall found passwords to a configurable mail address.
Versions: 2.12, 2.14, 2.15, 2.15b, 2.16, 2.16-cracked, 2.17, 2.19, 2.20,2.21, 2.26, 2.27, 2.29, 2.30, 2.31, 2.32, 2.33, 2.34, 2.34.2, 2.35,2.35.3., 2.35.4., 2.35.5., 2.36, 2.37, 2.38, 2.39, 2.40, 2.40b, 2.41,
Registers: HKEY_CURRENT_USER\SOFTWARE\Mirabilis\ICQ\Agent\Apps\ICQ\ HKEY_CURRENT_USER\SO FTWARE\Mirabilis\ICQ\Agent\Apps\Run\ HKEY_USERS\.Default\SOFTWARE\Mirabilis\ICQ\ Agent\Apps\Run\ HKEY_USERS\.Default\SOFTWARE\Mirabilis\ICQ\Agent\ HKEY_LOCAL_MAC HINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_USERS\.Default\SOFTWARE \Microsoft\Windows\CurrentVersion\RunServices\
Notes: Works on Windows 3.1, 95, 98, ME,NT and 2000, together with ICQ.ˆ Source code is available.
Country: written in Russia
Program:
© Copyright von Braun Consultants. This information may include technical inaccuracies or typographical errors. If you have any questions or further information about the actual trojan above, please contact Joakim von Braun at <joakim.von.braun@risab.se>