|Detected||Dec 01 2007 21:51 GMT|
|Released||Dec 01 2007 21:51 GMT|
|Published||May 16 2008 11:17 GMT|
Once launched, the Trojan copies its executable file as shown below:
In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:
Once installed, the Trojan deletes its original file.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.
The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:
It also masks the presence of processes related to these files.
The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:
Downloaded files will be saved as:
with <rnd> standing for a random sequence of numbers.
Once downloaded, the files will be launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.