Archive A Reconstructed © MegaSecurity Database
Tonerok
Released 22 years, 3 months ago. January 2004
Copyright © MegaSecurity
By ?
Informations
| From | ? |
| Author | ? |
| Family | Tonerok |
| Category | Remote Access |
| Version | Tonerok |
| Released Date | Jan 2004, 22 years, 3 months ago. |
| Language | VBSscript, compressed with UPX |
Additional Information
Server:
dropped file:
c:\%WinDir%\svchost.exe
size: 13.824 bytes
port: 10002, 1154 TCP
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Online Service"
registry added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Mserv "IDwin"
dropped files:
c:\WINDOWS\mserv.exe (Trojan.Win32.Killav.br)
c:\WINDOWS\msto32.dll (Backdoor.Tonerok)
c:\WINDOWS\sysini.ini (contents: "***Computer was successfully infected***")
c:\WINDOWS\SYSTEM\wingua.exe (Trojan.Win32.Killav.br)
c:\WINDOWS\svchost.exe (Backdoor.Tonerok)
Backdoor.Tonerok tries to download and execute several files (1.exe, 2.exe and 3.exe) from "http://trojanerdok.narod.ru" (Russia).
It is capable of disabling some anti-virus programs.
The content of the folders "c:\WINDOWS\Cookies\" and "c:\WINDOWS\Temporary Internet Files\" is deleted.This archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.