Symptoms

Removal instructions:

Analyzed By

Technical Description:

When first ran, the malware creates the directory “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451” where it copies itself under the name "games.exe" and drops a file named  “Desktop.ini” which makes the directory appear as Recycle Bin if opened in explorer.

To assure it runs, creates the following registry key:
“Taskman “ in “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”, “Shell” in ”SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”, “games” in “Software\Microsoft\Windows\CurrentVersion\Run”, all of then pointing to the   the “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe”

After this, the malware injects its code in the memory space of the "explorer.exe" process trying to hide its malicious behavior.

Now it communicates with a malicious server by creating a new connection trough port 8800 to games.freeps3[removed].biz sending and receiving command, executing them on the infected machine.

It has the capabilities to steal user information, to send mails,initiate syn attacks, download and execute new malware.