(Backdoor.Win32.Small.zs, TrojanDownloader:Win32/Cutwail.gen!C, Troj/Agent-LNC, Trojan.Pandex)
- increased network activity
- presence of the file reader_s.exe in the %SYSTEMROOT%\System32 and %HOMEPATH%\%USERNAME% folders
- presence of a process named reader_s.exe
- the registry keys HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run contain references to the above mentioned files
Please let BitDefender disinfect your files.
Marius Vanta, virus researcher
This encrypted trojan, once run, will perform the following actions:
- create two copies of itself in the %SYSTEMROOT%\System32 and %HOMEPATH%\%USERNAME% folders under the name reader_s.exe
- create a new process instance by running one of the newly created files
- delete the original file from the disk, keeping only the two copies
The second process instance will register itself at the system start-up by creating two new entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\Run. This operation is repeated every 20 seconds.
In a separate thread, the malware will decrypt an embedded backdoor component. This component will be written into the memory space of a newly created instance of the legitimate svchost.exe by using the WriteProcessMemory API.
The backdoor component will create an external connection for sending data and receiving commands. The data collected and sent over the internet contains only basic system information from the infected host (like number of processors or the system time).