This primitive Trojan is written in Visual C++. This is a Windows PE EXE file, packed using UPX. The packed file is approximately 76KB in size and the unpacked file is approximately 163KB in size.
When launched, the Trojan copies itself to the Windows system directory with a random name. For example:
and registers this file in the Windows system registry:
" = "%System%\jgsjyb.exe"
This ensures that the Trojan will be run each time Windows is rebooted.
Then it deletes the original file.
The Trojan harvests information about visited sites and can send it to the Trojan's author by HTTP.
It also downloads and installs an adware program, not-a-virus:AdWare.BetterInternet, to the victim machine.