Symptoms

Removal instructions:

Analyzed By

Technical Description:

     This malware has a word document icon in oder to lure the user into opening it.
     When executed it will drop a .dll file in %SYSTEM32% folder with a random name (e.g:for the analyzed sample, the .dll name was frjacnwrm.dll) and registers it as a BHO by adding / modifying the following registry keys:

HKLM\SOFTWARE\Classes\CLSID\
(Default) -> Microsoft Online Helper!

HKLM\SOFTWARE\Classes\CLSID\\InProcServer32
(Default) -> %SYSTEM32%\frjacnwrm.dll

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
(Default) -> Microsoft Online Helper!

     Next it will change Internet Explorer's settings by altering the next registry key:
HKCU\Software\Microsoft\Internet Explorer\Main
@#$E$@#n%^a&^%b#$%l^%$e^& %^&B#$%r&^%o$%w@#$s^%$e&*r(*& &*E*^&x$^%t%$#e@#$n&^%s#%i*^o$%^n(&*s%^& -> yes
(Enable Browser Extensions -> yes)

     Then it wil drop a file named sys.bat that will be used to delete itself.

     The dropped .dll will be used to monitor user's activity and the gathered data will be sent via http post to the following address: http://[removed]idbredov.ru