Symptoms

Removal instructions:

Analyzed By

Technical Description:

After execution, the malware copies itself to
    C:\Program Files\Microsoft Common\wuauclt.exe
and connects to a remote server (91.203.[hide].[hide]:http). If needed, it will add an exception
to the Windows firewall. It injects code in the memory instance of svchost and sends sensitive information
about the infected computer ( such as the version of the operating system and the port
on which the virus can receive data ) and waits to receive a command. Based on
the operating system of the infected computer, the virus tries to download a
file from a certain address, that acts as an update. On the test machine, the file was %SYSTEM%\cpl32ver.exe.
The file can be found in the process list and could have 1 or 2 svchost child processes.

The malware has its own smtp server which tries to connect to the following addresses and send e-mails
    mxs.mail.ru
    fk-in-f114.google.com
    gsmtp183.google.com
    smtp.messagingengine.com

It also connects to the folowing addresses:
    http://[hide]xu.ru/load3/ld.php?[info]
    http://[hide]xr.ru/loadx/ld.php?[info]
    211.95.[hide].[hide]:http
    208.66.[hide].[hide]:http
    216.195.[hide].[hide]:5634

It drops the rootkit component ( %SYSTEM%\drivers\[random].sys ) that hooks to the System Service Descriptor Table.
This way, the virus manages to hide the registry keys it creates.

For the process to start in safe mode, it creates the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\[random].sys
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\[random].sys

So that the application can start with the operating system the folowing keys are added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpl32ver ( on the test machine )
HKLM\System\CurrentControlSet\Services\[random]
HKLM\System\CurrentControlSet\Services\tcpsr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe