|Detected||Aug 24 2010 08:47 GMT|
|Released||Aug 24 2010 14:59 GMT|
|Published||Mar 16 2011 10:22 GMT|
This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 53 760 bytes in size. It is written in Delphi.
Once launched, the Trojan copies its body to the following file:
%System%\winr.exeAt the same time, this system registry key is created:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\userinit.exe] "Debugger" = "winr.exe"Thereby, the Trojan will be launched as a debugger each time the process "userinit.exe" starts.
The original Trojan file from the installation stage is deleted.
To ensure that its process is unique within the system, the Trojan creates a unique ID with the name "6A57BEED". After this, to check for a connection to the Internet, it initiates a connection to the site:
google.comIf there is a connection, the Trojan connects to the hosts:
taw***do.cc uer***mo.ccOther malicious programs may be downloaded from these hosts to the infected computer. At the time of writing, these servers were not responding.
The Trojan is able to inject its malicious code into the address spaces of system processes:
csrss.exe svchost.exe winlogon.exe explorer.exe
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe] "Debugger" = "winr.exe"
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.