Symptoms
Presence of several registry keys under:
HKCR\CLSID\{CEE2864E-1144-4B8F-9A43-4CEAC4553560}
"HKCU\Software\Microsoft\Internet Explorer\Main\^%\E$@@#n%^a&^()%b#(^$%l%(^%$e(^& ^%\#$%r$$^%o$#(%w@$%#$s%^^%$e%^(()(*& %#E*&^&x$(%%t%$#$@e^^%@(n#$%s))#%i*^o$%$^$^n(&*s(%^&" = YES
A BHO called "Microsoft Online Helper!" or "Google Accelerator!" pointing to %SYSTEM%\bhdvgtueyitf.dll
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Horea Coroiu, virus researcher
Technical Description:
The malware is distributed in a zip archive attached to an e-mail which claims to be from "DHL express services".
Glecia cannot propagate itself, so it needs a third party to send the spam.
An e-mail sample follows:
Subject: DHL Express Services. Please get your parcel NR.56449
Headers:
From: "****" <****@dhl-usa.com>
Subject: DHL Express Services. Please get your parcel NR.56449
Body:
Dear customer!
The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.
You may pickup the parcel at our post office personaly!
Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.
Thank you for attention.
DHL Services.
Attachments:
DHL_print_label_582b9.zip (16.23KB)
The archive contains a packed executable which drops a BHO to %SYSTEM%\bhdvgtueyitf.dll and registers it as "Microsoft Online Helper!" or "Google Accelerator!" with CLSID {CEE2864E-1144-4B8F-9A43-4CEAC4553560}.
When done, the dropper creates and runs a batch file called sys.bat in order to delete itself.
The BHO is a backdoor that can be used by the attacker to take control over the infected computer.
SHARE
THIS ON