Computer connects to several URLs:
The connections originate from "explorer.exe".
"explorer.exe" accepts UDP connections.
Presence of the hidden "sysdate.exe" in folder "%systemdrive%\RECYCLER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx" where x-es are random digits.
References to this executable file in one of the folowing registry keys:
Presence of the infected file in P2P programs share folders.
Infected USB storage mediums present the following autorun.inf file in the root folder, as well as the file "ReCYCleR\sEtup32.exe".
Please let BitDefender disinfect your files.
Mihai Stoicoi, virus researcher
Supports P2P: Ares, BearShare, iMesh, Shareza, Kazaa, DC++, eMule, LimeWire.
Supports MSN Messenger as vector.
Supports infecting USB Media.
Has Mozilla and IE password harvesting capability.
Has TCP/UDP flooding capabilities.
Has Backdoor capability.
The infected exe installs itself on the system by copying itsesf in the Rcycler folder and adds itself in the registry to be active at startup, then it decrypts code on the stack and injects it in "explorer.exe". This injected component is the payload.
explorer.exe holds mutex: i4__s__frgk665fn.