Troj/Cult-B is a Trojan.
Troj/Cult-B is a classic backdoor Trojan which allows a remote intruder to access and control the computer via IRC channels. When first run, Troj/Cult-B copies itself to the <System> directory as wuauclt.exe, overwriting the valid Windows file of the same name. (The Windows file wuauclt.exe deals with Automatic Updates.)
Each time Troj/Cult-B runs, it attempts to connect to server: irc<dot>icq<dot>com with a randomly generated nickname. Troj/Cult-B then runs in the background as a server process, listening for commands to execute.
Troj/Cult-B creates the following registry entry to automatically start itself each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft auto update = WUAUCLT.EXE
While this definition was the third most-accessed on our website this week, Sophos has protected customers from this threat since March 2003.
Detailed analysis
Troj/Cult-B exhibits the following behavior:
Runtime Analysis
Modified Files
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Microsoft auto update
- 57 55 41 55 43 4c 54 2e 45 58 45 00 00