A strange shortcut in the Startup directory referring to some file in c:\windows\system32\[random].
Please let BitDefender disinfect your files.
Cristian Lungu, virus researcher
The malware comes hidden using an folder icon, used as a mean to persuade people in executing it.
After execution, it drops several files and creates three directories in C:\Windows\system32\ in one of which it copies itself. These directories are set as hidden and protected system folders, so without full viewing permissions, they can remain hidden to the normal user.
For the program to be executed at startup, it creates a link to itself in the Startup directory. This link is verified for existence and recreated when needed every time the malware is executed.
After startup, the malware remains resident in memory and monitors the activity of the current user. From time to time, checks the connection with the internet and in case the host is connected it tries to update. It may be possible under certain circumstances that other malware can be downloaded.
The malware also presents a module that enables him to execute shell commands and thus serve as a backdoor, although a permanent UDP or TCP connection isn’t established.
The malware uses some modules from EPL software development environment which can indicate that it’s provenience may be from East Asia.