Symptoms

Removal instructions:

Analyzed By

Technical Description:

       Malware is written using AutoIT, which is a "BASIC-like scripting language designed for automating the Windows GUI and general scripting".

      Once executed:
- checks if "system.exe" process exists and if it does it executes "explorer.exe" from system directory
- if any of below processes are running:
    * msconfig.exe
    * rstrui.exe
    * regedit.exe
    * taskmgr.exe
it exits.

- tries to kill the following processes if they are running:
    * winsystem.exe
    * handydriver.exe
    * kerneldrive.exe
    * wscript.exe
    * cmd.exe
    * nod32krn.exe
    * nod32kui.exe

- malware copies itself as:
    * %windir%\msmsgs.exe
    * %windir%\wininit.exe
and modifies a registry key so that it is run at every system startup

- modifies settings of explorer so that file extensions are hidden
- modifies settings of explorer so that hidden files are not shown
- modifies settings to disable Task Manager
- modifies settings of disable Regedit

- copies itself into all non-removable drives as "system.exe" and adds an autorun.inf file so that it is executed automatically each

time the drive is activated or browsed
- deletes following registry keys:
    * HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title
    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NOD32krn\ImagePath
    * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nod32drv\ImagePath
    * HKEY_CLASSES_ROOT\lnkfile\isShortcut

- deletes following files:
    * %program files dir%\ESET\nod32.exe
    * %program files dir%\ESET\nod32kui.exe
    * %program files dir%\ESET\nod32krn.exe

- downloads files from internet:
    * http://ppt.th.gs/[removed]/bad1.exe
    * http://ppt.th.gs/[removed]/bad2.exe
    * http://ppt.th.gs/[removed]/bad3.exe

into Windows directory and adds them to Windows startup