This small downloader is written in VBS and it is embeded in html files. When it receives control, it will attempt to download 4 files from the following location: http://love[removed].org/css. The files being downloaded are:
- AutoCfg.exe - infected, detected as Backdoor.Ardu.A
- Instexnt.exe, Autoexnt.exe, Servmess.dll - these are clean files and are used for running scripts before a user logs on
After downloading these filese, it will attempt to install AutoExNT service and it will create another file (AutoExNT.bat), where the infected application (AutoCfg.exe) will be listed. This way, the malware will receive execution after every reboot, even if there is no user logged on that computer.