Symptoms
Presence of next files and registry keys in system:- %WINDIR%\mht32.exe
- %WINDIR%\mht
- HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{272BF88D-A474-622F-9684-E4E7FA186643}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkr32
- increased internet traffic
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Suiu Andrei, virus researcher
Technical Description:
The virus searches for
explorer.exe process and if it's found injects its code into it.
The injected code rewrites the file
%WINDIR%\mht32.exe with own copy.
After that it searches for Installed components in
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components with
StubPath pointing to
%WINDIR%\mht32.exe. If this is found, deletes it. After that a component with CLSID
{272BF88D-A474-622F-9684-E4E7FA186643} with
StubPath pointing to the virus is created.
The virus modifies the registry value in order to be executed at every system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:
mkr32 = %WINDIR%\mht32.exe
The code injected into
explorer.exe process monitors all system messages and logs all pressed keys and window titles it comes from into
%WINDIR%\mht32 file.
After it starts the default system browser and also injects there its code which tries to connect to
[removed]-pppoe.avangarddsl.ru at port 23423 and to send there collected data from infected computer.
In fact it is a remote keylogger which sends the log file to the destination host.
SHARE
THIS ON