Reported: February 13, 2008

Category: Trojan, Threats

Trojan.Ozdok spreads by sending itself as spam emails on the gathered email address from the infected computer.

The Trojan may be downloaded on to the compromised computer by a Web exploit.

Threat Level: Low
Detected By: Symantec

Systems Affected: Windows - All



It creates following registry values.

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\"%System%\svchost.exe" = "%System%\svchost.exe:*:Enabled:svchost"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%System%\svchost.exe" = "%System%\svchost.exe:*:Enabled:svchost"


The Trojan may create a service with the following characteristics:

* Service Name: ICF
* Display Name: ICF
* Image Path: %Systemdir%\svchost.exe:exe.exe



It then contacts the following servers on TCP port 80:

* aaauaa.info
* boratchik.com
* sadukkanora.com
* manukazorada.biz
* netzakdjuq.biz
* aaahme.info
* beeddk.0rg
* aaauaa.info
* boratchik.com
* sadukkanora.com
* manukazorada.biz
* netzakdjuq.biz
* aaahme.info
* beeddk.0rg
* yankdream.info
* iowandream.info
* hitijeoairnv.biz
* denizendream.org
* kentuckianfuker.com
* alaskanloxajz.com
* fortunebird.biz
* www1.uikkl.info