The filename of the malware will pe considered to be <PseudoRandomName>.
The malware is made from two parts, each one with its one purpose depending on the location where the malware runs. The first part, the one that runs when the malware is injected in winlogon.exe, is the protection one. On every three seconds it adds the dll to the registry so it can start on every windows startup. It creates the keys
and the values
and the values
It also disables Error Reporting by deleting all registry keys and values from HKLM\System\CurrentControlSet\Services\Ersvc
It copies itself c:\auto.exe and creates a file autorun.inf in which it writes
open = auto.exe
ShellExecute = auto.exe
shell\Auto\command = auto. exe
This will start the malware every time the c:\ drive is opened in explorer.exe. Another role for the winlogon part is to download and install updates. The malware tries to download a file names update.txt fom wget http://33.xinga[hidden].cn/soft//update.txt. This is an ini file which contains lots of informations needed for the update of the malware like the new version of the malware, the url where the new version is located, the url for the startpage,an url that will be used to count how many times the update has been accessed by the infected computer, a value that will tell the program after how many minutes the install of the update should begin,
The last thing that this part of the malware does is to injects itself into all running processes.
The second part runs from explorer.exe.
The first thread from this part is uded to access alexa website. The results are sent as they were sent by alexa toolbar v7.2.
The second thread is used to open an internet explorer window to a link read by the malware from the downloaded file.
The third thread download and executes files from http://211.100.[hidden].4/