The following files in %WINSYS% directory:
The following file in %TEMP% folder:
And the following entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Let BitDefender delete/disinfect all infected files found.
Once executed, the trojan shows an error message (see below) in order to make the user believe it didn't start, but actually it drops the files checkreg.exe, iisload.dll, wslXXXXX.dll in %WINSYS% directory, and installs an entry at the system startup, pointing to one of the dropped files (checkreg.exe).
The iisload.dll file is used to inject the wslXXXXX.dll file in EXPLORER.EXE process, so it is a memory resident trojan.
Then, the BAT file dropped in %TEMP% folder is executed in order to delete the original file.
The error message displayed when the trojan is executed.
The code injected in EXPLORER.EXE gathers the following information about the infected computer:
This information is then encrypted and sent to a remote computer.