Selected viruses, spyware, and other threats: sorted alphabetically
Short descriptionThe trojan serves as a backdoor. It can be controlled remotely. The trojan sends links to MSN users. The file is run-time compressed using UPX, ASPack .
InstallationWhen executed the trojan copies itself in the following locations:
%variable1%, %variable2% stand for a random text.
In order to be executed on every system start, the trojan sets the following Registry entries:
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
"UserInit" = "%userprofile%\%variable1%.exe \o"
"%variable2%" = "%system%\%variable2%.exe \j"
The performed command creates an exception in the Windows Firewall.
- "%system%\%variable2%.exe" = "%system%\
- "%userprofile%\%variable1%.exe" = "%userprofile%\
- "%filepath%" = "%filepath%:*:Enabled=ENABLED"
Spreading via IM networksThe trojan sends links to MSN users. The messages may contain any of the following texts:
The attachment is a/an ZIP archive file containig an executable.
- I was on weapons festival in my travel! True, that is not all
- I am as Harry Potter in this old cap! Watch! Its funny!
- Hi. We watch our old photos and die of laughter! More have found!
Other informationThe trojan is sent data and commands from a remote computer or the Internet. The trojan contains a list of (1) URLs.
The trojan tries to download several files from the Internet. The files are then executed.
The trojan may set the following Registry entries:
It uses techniques common for rootkits.