Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The trojan collects sensitive information when the user browses certain web sites. The trojan can send the information to a remote machine. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
  • %system%sdra64.exe
The trojan creates the following folders:
  • %system%lowsec
The trojan creates the following files:
  • %system%lowsecuser.ds.lll
  • %system%lowsecuser.ds
  • %system%lowseclocal.ds
The following Registry entry is set:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
    CurrentVersionWinlogon]
    "Userinit" = "%system%userinit.exe, %system%sdra64.exe"
This causes the trojan to be executed on every system start.

The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
    CurrentVersionNetwork]
    "UID" = "%computername%_%variable%"
  • [HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
    CurrentVersionExplorer{334613DB-50C1-B3BE-95ED-E9915A134FF1}]
    "{3039636B-5F3D-6C64-6675-696870667265}" = %hex_value1%
The trojan creates and runs a new thread with its own program code within the following processes:
  • winlogon.exe
  • svchost.exe
  • explorer.exe
Information stealing
The trojan collects sensitive information when the user browses certain web sites.

The trojan can send the information to a remote machine. The FTP protocol is used.
Other information
The trojan hooks the following Windows APIs:
  • NtCreateThread (ntdll.dll)
    LdrLoadDll (ntdll.dll)
    LdrGetProcedureAddress (ntdll.dll)
    NtQueryDirectoryFile (ntdll.dll)
The following services are disabled:
  • Windows Firewall
The trojan contains an URL address. It tries to download a file from the address. The HTTP protocol is used.

The file is stored in the following location:
  • %system%lowsecuser.ds
The trojan is sent data and commands from a remote computer or the Internet.

It can execute the following operations:
  • monitor network traffic
  • redirect traffic
  • capture screenshots
  • send files to a remote computer
  • download files from a remote computer and/or Internet
  • retrieve information from protected storage and send it to the
    remote computer
  • steal information from Windows clipboard
The trojan may create and run a new thread with its own program code within any running process.