Symptoms

Removal instructions:

Analyzed By

Technical Description:

When run, this malware will try to remove the following registry keys:
    HKLM\Software\Microsoft\CurrentVersion\ShellServiceObjectDelayLoad\
        Name = JavaView
    HKLM\Software\Microsoft\CurrentVersion\ShellServiceObjectDelayLoad\
        Name = DesktopWin
    These keys were set by a previous version of this malware in order to load one of its components at every system startup.
    Then, it will check if it is already installed in the system by searching for a mutex named __DL_CORE4GAEX_MUTEX__. If found it will drop a file named unixxx.bat used to delete itself. Otherwise, it will drop a file named msgmr.dll in %ProgramFiles%\Messenger folder (if the folder doesn't exist, it will be created) and creates/sets the following registry keys for the dll to be loaded at every system reboot:
    HKCR\CLSID\{DA191DE0-AA86-4ED0-4B87-293D48B2AE99}\InprocServer32
      @ = %ProgramFiles%\Messenger\msgmr.dll
      ThreadingModel = Apartment
    HKLM\Software\Microsoft\CurrentVersion\ShellServiceObjectDelayLoad\
      msnmsg = {DA191DE0-AA86-4ED0-4B87-293D48B2AE99}
    Next, the malware will use the command line
        rundll32 "C:\Program Files\Messenger\msgmr.dll",UIMessage
to execute the code from msgmr.dll and then deletes itself using the same file unixxx.bat presented above.
    Then, another file found inside msgmr.dll will be dropped under Framdee.ttf in %WINDOWS%\Fonts folder. This component of the malware will create a mutex named __DL_CORE4GAEX_MUTEX__ to make sure that only one copy of the malware is runnig at any time and then it will download the following files in %TEMP% folder:
        http://live.[removed].net/moon.gif
        http://ftp.[removed].info/moon.gif
        http://ftp.[removed].info/moon.asp?action=update&version=%u - when this description was made, this file wasn't found
    The files named moon.gif contain links to other malware that will be downloaded and run on user's computer.