This Trojan downloads files from the Internet and launches them without the user's knowledge. It is a Windows application (PE EXE file) and is 53 760 bytes in size. It is written in Delphi.
Once launched, the Trojan copies its body to the following file:
At the same time, this system registry key is created:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\userinit.exe] "Debugger" = "winr.exe"
Thereby, the Trojan will be launched as a debugger each time the process "userinit.exe" starts.
The original Trojan file from the installation stage is deleted.
To ensure that its process is unique within the system, the Trojan creates a unique ID with the name "6A57BEED". After this, to check for a connection to the Internet, it initiates a connection to the site:
If there is a connection, the Trojan connects to the hosts:
Other malicious programs may be downloaded from these hosts to the infected computer. At the time of writing, these servers were not responding.
The Trojan is able to inject its malicious code into the address spaces of system processes:
csrss.exe svchost.exe winlogon.exe explorer.exe
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Delete the following system registry key (see What is a system registry and how do I use it?):
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe] "Debugger" = "winr.exe"
- Reboot the computer.
- Delete the following file:
- Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).