Technical Details


Once launched, the Trojan copies its executable file as shown below:


In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:


Once installed, the Trojan deletes its original file.

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.


The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:


It also masks the presence of processes related to these files.

The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:


Downloaded files will be saved as:


with <rnd> standing for a random sequence of numbers.

Once downloaded, the files will be launched for execution.

Removal Instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Use Task Manager to terminate the malicious program’s process.
  2. Delete the following system registrykey:
  3. Delete the following file:
  4. Delete the contents of %Temp%
  5. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).