Presence of the file “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe”
Presence of the registry keys mentioned below.
Please let BitDefender disinfect your files.
George Cabau, virus researcher
When first ran, the malware creates the directory “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451” where it copies itself under the name "games.exe" and drops a file named “Desktop.ini” which makes the directory appear as Recycle Bin if opened in explorer.
To assure it runs, creates the following registry key:
“Taskman “ in “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”, “Shell” in ”SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”, “games” in “Software\Microsoft\Windows\CurrentVersion\Run”, all of then pointing to the the “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe”
After this, the malware injects its code in the memory space of the "explorer.exe" process trying to hide its malicious behavior.
Now it communicates with a malicious server by creating a new connection trough port 8800 to games.freeps3[removed].biz sending and receiving command, executing them on the infected machine.
It has the capabilities to steal user information, to send mails,initiate syn attacks, download and execute new malware.