The following files in %WINSYS% directory:
- checkreg.exe (4,608 bytes, packed)
- iisload.dll (7,680 bytes, unpacked)
- wslXXXXX.dll, where XXXXX is a random number (11,264 bytes, packed)
The following file in %TEMP% folder:
And the following entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- "Registry startup check" = "checkreg.exe"
Let BitDefender delete/disinfect all infected files found.
Raul Tosa, BitDefender virus researcher.
Once executed, the trojan shows an error message (see below) in order to make the user believe it didn't start, but actually it drops the files checkreg.exe, iisload.dll, wslXXXXX.dll in %WINSYS% directory, and installs an entry at the system startup, pointing to one of the dropped files (checkreg.exe).
The iisload.dll file is used to inject the wslXXXXX.dll file in EXPLORER.EXE process, so it is a memory resident trojan.
Then, the BAT file dropped in %TEMP% folder is executed in order to delete the original file.
The error message displayed when the trojan is executed.
The code injected in EXPLORER.EXE gathers the following information about the infected computer:
- The operating system (version, build, service pack)
- The running processes
- The installed programs (those available in "Add/remove Programs" section in control Panel)
- The available network adapters (their status, incomming and outgoing bytes, speed and type: Ethernet, PPP, FDDI etc)
- The hard-drive's directory structure (searching drives from C: to Z: and building the entire structure for fixed drives)
This information is then encrypted and sent to a remote computer.