presence of the files and registry key specified in the technical description
unavailability to update some of the security solutions software
Please let BitDefender disinfect your files.
Ovidiu Visoiu, virus researcher
In order to hide his actions, when is first run, the trojan will inject its code into the memory of Explorer.exe using low-level methods and a remote thread pointing to this zone will be started. This code (executed by Explorer) will be responsible to inject into all running processes a dll dropped by the trojan (%USERPROFILE%\Local Setings\Temp\cvasd0.dll)
The injected DLL contains two components. An online games password stealer (with the targets: KnightOnline, Metin2, AgeOfConan,TheLordOfTheRings,Maple...). Another embedded DLL (ANTIVM.dll) will try to disable some known security solutions usually by stopping the update services modules (Liveserv.exe, vsupdate.exe, Update.exe, AVP.exe, avgupd.exe)
The code injected in Explorer.exe process will copy itself to %ROOT%[random_name].exe and will create an Autorun.inf file pointing to this copy.
The following registry key is also modified by the malware:
"cdoosoft" = "%TEMP%\herss.exe" ,where the executable is a copy of the malware
Then the trojan will try to download an updated encrypted version (detected also Trojan.PWS.Onlinegames) from: