My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




- the presence of the following file c:\resycled\ and an autorun.inf pointing to
- system running slowly

Removal instructions:

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

    When run, this malware will first drop the following files in %TEMP% folder: tmp1.tmp and tmp2.tmp.
    The first file will be injected in spoolsv.exe under the name dll.dll and this is the main component of the malware. It communicates with the following site via http: It is also able to change the DNS settings of the computer in order to steal user's sensitive information. The changed DNS addresses will be: and It will also create the following registry keys:
    msqpdxaff @= 0xBFF
    msqpdxid @= rfy... (the first DNS address crypted)
    msqpdxinfo @= 3qxvy ... (the second DNS address crypted)
    msqpdxpff @= 0x1F03
    msqpdxrun @= 0x47 (the key used to decrypt the DNS addresses)
    msqpdxsw @= 0x6802f719
    The second file is a modified version of advapi32.dll which will be copied over the original version. It will be used to load the dll.dll file at every system startup (it is detected as Trojan.Patched.CK).
    In order to spread itself on every removable drive, it makes a copy of itself in c:\resycled\ and creates an autorun.inf file pointing to this copy of the worm.