- presence of the file: %system%\lgou.rlo
- presence of the registry value HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Winlogon\shell, containing, among others: "rundll32.exe lgou.rlo mrtiyyb"
This malware is better known (and belongs to) the Oficla trojans family; it comes with a familiar icon that will trick the user into thinking it is a Word document. When executed, this malware will first drop a new file inside %temp% folder, named "[2 random digits].tmp". This is in fact a .dll file (dynamic link library), and after dropping it the malware will inject it into a new instance of svchost.exe. Another copy of this .dll file will also be dropped inside %system% directory, as "lgou.rlo"; this one will be also registered to startup, by modifying the registry value: HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Winlogon\shell, by adding "rundll32.exe lgou.rlo mrtiyyb" to it (this way, after every reboot, the malicious .dll will get loaded and executed). After dropping these files, the malware will erase it's own executable file in order to cover it's tracks.
The .dll file is in fact a downloader (curently detected as Trojan.Downloader.Agent.ABBL); it will try to download and execute files from http://post[removed].ru and perform additional malicious tasks.
%temp% reffers to the temporary folder.
%system% reffers to the system folder (usually c:\windows\system32)