Symptoms
Computer connects to several URLs:
bfisback.[REMOVED].org
butterfly.[REMOVED].es
qwertasdfg.[REMOVED].es
The connections originate from "explorer.exe".
"explorer.exe" accepts UDP connections.
Presence of the hidden "sysdate.exe" in folder "%systemdrive%\RECYCLER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx" where x-es are random digits.
References to this executable file in one of the folowing registry keys:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
Presence of the infected file in P2P programs share folders.
Infected USB storage mediums present the following autorun.inf file in the root folder, as well as the file "ReCYCleR\sEtup32.exe".
[AuToRuN]
UsEAUtOpLaY=1
ShElL\OpEn=Open
SHELL\OpEn\CoMmAnD=ReCYCleR\sEtup32.exe
OPEN=ReCYCleR\sEtup32.exe
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Mihai Stoicoi, virus researcher
Technical Description:
Spreading methods:
Supports P2P: Ares, BearShare, iMesh, Shareza, Kazaa, DC++, eMule, LimeWire.
Supports MSN Messenger as vector.
Supports infecting USB Media.
Has Mozilla and IE password harvesting capability.
Has TCP/UDP flooding capabilities.
Has Backdoor capability.
The infected exe installs itself on the system by copying itsesf in the Rcycler folder and adds itself in the registry to be active at startup, then it decrypts code on the stack and injects it in "explorer.exe". This injected component is the payload.
explorer.exe holds mutex: i4__s__frgk665fn.
SHARE
THIS ON