Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The trojan serves as a backdoor. It can be controlled remotely. The trojan sends links to MSN users. The file is run-time compressed using UPX, ASPack .
Installation
When executed the trojan copies itself in the following locations:
  • %userprofile%\%variable1%.exe
  • %system%\%variable2%.exe
%variable1%, %variable2% stand for a random text.

In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon]
    "UserInit" = "%userprofile%\%variable1%.exe \o"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "%variable2%" = "%system%\%variable2%.exe \j"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy\StandardProfile\
    AuthorizedApplications\List]
  • "%system%\%variable2%.exe" = "%system%\
    %variable2%.exe:*:Enabled=ENABLED"
  • "%userprofile%\%variable1%.exe" = "%userprofile%\
    %variable1%.exe:*:Enabled=ENABLED"
  • "%filepath%" = "%filepath%:*:Enabled=ENABLED"
The performed command creates an exception in the Windows Firewall.
Spreading via IM networks
The trojan sends links to MSN users. The messages may contain any of the following texts:
  • I was on weapons festival in my travel! True, that is not all
    photos here!
  • I am as Harry Potter in this old cap! Watch! Its funny!
  • Hi. We watch our old photos and die of laughter! More have found!
The attachment is a/an ZIP archive file containig an executable.
Other information
The trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs.

The trojan tries to download several files from the Internet. The files are then executed.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\BitBucket]
It uses techniques common for rootkits.