[INFO]
AnalystName=Ashwin
AnalystEMailID=ashwinv@comodo.com
Team=India
Date=07-JUN-2010
Type=TrojWare
Platform=Win32
SubType=TrojanDropper
Family=Drob
Variant=Gen

[OVERVIEW]
This Trojan program drops more spyware, adware and other harmful software into the infected machine. 
It spreads through hijacked web sites, corrupt freeware downloads , KeyGen's and Cracks.
The Dropped Files act as a Proxy or Kelogger.

[TECHNICAL_DESCRIPTION]
Keys Added:
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svcpack32
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcpack32

Values Added:
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svcpack32\Security= 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svcpack32
        Type = 0x00000010
        Start = 0x00000002
        ErrorControl = 0x00000000
        ImagePath = "%System%\rundll32.exe svcpack32.dll,axes"
        DisplayName = "Windows 2000 Service Pack Setup"
        Group = "Event Log"
        ObjectName = "LocalSystem"
        Description = "Windows 2000 Service Pack Setup"
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcpack32\Security
                Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svcpack32
        Type = 0x00000010
        Start = 0x00000002
        ErrorControl = 0x00000000
        ImagePath = "%System%\rundll32.exe svcpack32.dll,axes"
        DisplayName = "Windows 2000 Service Pack Setup"
        Group = "Event Log"
        ObjectName = "LocalSystem"
        Description = "Windows 2000 Service Pack Setup"

[SYMPTOMS]
	Deleted files recreated at restart
	Browser Error page transmitted to strange web sites
	Unknown Internet and network connections
	Logged Internet actions
	Unknown program processes running in the task list

[DISINFECTION]
	Delete the Registry values added to the registry By Drob
	Delete temporary files From %temp% Folder,restart the computer and run a whole scan with COMODO Internet Security