Symptoms

Removal instructions:

Analyzed By

Technical Description:

At every run the malware drops in %USERPROFILE%\Local Settings\Temp a clean application named rxcf-green.exe and a malware file named xq.exe and runs both of them.

The malware (xq.exe) creates a malware dll named [random].dll in %WINDIR%\System32 and registers it in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\[random].dll ->{F0930A2F-D971-2828-8209-B7DF266ED44} and HKLM\SOFTWARE\Microsoft\Windows\Explorer\ShellExecuteHooks\{F0930A2F-D971-2828-8209-B7DF266ED44}->null, where [random].dll is in all cases the same name.

The created dll file has a random 8 char name, different size and a different overlay every time. It's injected into the memory space of explorer.exe and every other application who has explorer.exe as parent.

After that, xq.exe will use the bat self-delete method to delete itself from the disk by creating a new .bat file in the %USERPROFILE%\Local Settings\Temp folder.