|Detected||Dec 25 2008 00:13 GMT|
|Released||Dec 25 2008 04:37 GMT|
|Published||Mar 12 2009 15:29 GMT|
This malicious program is a Trojan. It is a Windows PE EXE file. It is 417792 bytes in size. It is packed using UPX. The unpacked file is approximately 439KB in size. It is written in C++.
Once launched, the Trojan copies its body to the current user’s Windows startup directory:
Once the victim machine has been rebooted, the Trojan extracts a file from itself. The file will have one of the names shown below:
This file is 404992 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Agent.aoth.
In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan places a link to the file it extracted from its body in the system registry:
CrashDump EventLog Init lsass Regscan RunDll Setup Sound svchosts System TaskMon UPNP Windows
<rnd> is the path to the file extracted from the Trojan shown in the list above.
Once the Trojan had delivered its payload, it will delete both its body and its copy "%Documents and Settings%\
This Trojan will not run on Russian versions of Windows.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.