63.488 bytes (packed size: 35347 bytes)
- File Winrarshell32.exe in the System folder (usually Windows\System32 and Windows\System)
- The registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrarshell points to the winrarshell32 file (thus the trojan gets executed at every system startup).
Let BitDefender delete the files it found infected.
Mihai Chiriac, Mihai NeaguBitDefender Anti-Virus Researcher
The trojan arrives as a .RAR archive with a malformed header. Some wrongly-configured archivers may execute the trojan on a simple archive view. The archive has a movie subtitle name, and it's 35347 bytes in size.
When executed, the trojan copies itself as "winrarshell32.exe" and registers itself to be executed at every system startup.
Then, it turns on several password caching facilities in Windows:
- Autocomplete: by adding "Use AutoComplete" = "yes" to the registry key
- Password suggesting: by adding "FormSuggest Passwords" = "yes" to the registry key
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main and "Use FormSuggest" = "yes" to the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main
The trojan logs every password in a file called "system31.bug", which it sends to the author, in a mail that looks like the following:
X-Mailer: bugmafia v2.02dev
The trojan also adds statistical system information in the email, and on NT based systems it fetches the NTLan password hashes and sends them too.
To send the mail, the trojan uses its own SMTP engine.