Backdoor.Win32.Tripod

Class Backdoor
Platform Win32
Description

Technical Details

This backdoor program obtains a file from the Internet and spawns it on a victim’s machine in hidden mode. Upon being run, the backdoor copies itself to Wthe indows system directory with the IESTUB32.EXE name and registers itself
in system registry in the auto-run section:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

It then, depending on the current date, loads the file WELCOME.GIF from http://members.tripod.com Web site, stores it in the Windows temporary directory with the UNINST32.EXE name and spawns it. The UNINST32.EXE program’s behavior is unknown and depends only on a backdoor author’s needs.