Symptoms

Removal instructions:

Analyzed By

Technical Description:

Upon execution the malware creates the following files:

%sysdir%\com\smss.exe
%sysdir%\com\lsass.exe
%sysdir%\com\netcfg.000
%sysdir%\com\netcfg.dll

These files have the hidden attribute and the malware resets the following registry key so that they are invisible in explorer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden

The file netcfg.dll is registered using the following  registry entries:

HKCR\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}
HKCR\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}
HKCR\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
HKCR\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
HKCR\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}


In order to spread, the malware copies itself to the root of installed drives by the name of pagefile.pif and creates an AUTORUN.INF entry which references this file.

The process smss.exe creates an instance of iexplore.exe which accesses html pages from locations such as:
w.c0????m/r.htm
w.c0????m/favicon.ico

These pages contain instructions which are interpreted by netcfg.dll.

The process lsass.exe listens on UDP ports (1035, 1036) and tryes to connect to xf.k0???2.com.

lsass.exe and smss.exe monitor each other, so if one process is killed, the other restarts it.