Once launched, the Trojan copies its executable file as shown below:
In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:
Once installed, the Trojan deletes its original file.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.
The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:
It also masks the presence of processes related to these files.
The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:
Downloaded files will be saved as:
with <rnd> standing for a random sequence of numbers.
Once downloaded, the files will be launched for execution.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the malicious program’s process.
- Delete the following system registrykey:
- Delete the following file:
- Delete the contents of %Temp%
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).