Wednesday, August 27, 2008


Once launched, the Trojan copies its executable file as shown below:

In order to ensure that the Trojan is launched each time the system is started, it creates a system service called "Runtime" which launches the Trojan executable file each time Windows is booted. The following registry key will be created:


Once installed, the Trojan deletes its original file.

This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.

The Trojan contains a rootkit driver which masks the presence of Trojan files on the hard disk, and also the presence of the files listed below:


It also masks the presence of processes related to these files.
The Trojan also launches a hidden process called "iexplore.exe". It injects its code into this process, which will then download files from the following addresses:


Downloaded files will be saved as:


with standing for a random sequence of numbers.

Once downloaded, the files will be launched for execution.

Removal Guide

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program’s process.

2. Delete the following system registry key:


3. Delete the following file:


4. Delete the contents of %Temp%

Tips about How to Choose Computer

Check Out

No comments: