Various notifications that the system is infected
Presence of the files and registry entries modifications from technical section
Please let BitDefender disinfect your files.
Ovidiu Visoiu, virus researcher
Usually it comes as an e-mail attachment having a fake MS Office Word Document icon.
When ran, it drops a dll file in %temp% folder which is then copied in the %system% folder under a random name (e.g. pgsb.lto), detected as Gen:Variant.Oficla.2. To ensure that the dll will be active at each system startup it will add the following registry key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] Shell = Explorer.exe rundll32.exe random_dll random_api - where random_dll and random_api may change with newer versions(e.g. pgsb.lto csxyfxr)
The dll will be injected in a svchost.exe process, then the trojan will delete itself
Depending on installed version the dll component will access different sites, usually form Rusia (davidopolko.ru, postfolkovs.ru) from which will retrieve a link to another executable (Trojan.Downloader.ABBL). Downloading and running this will lead to installation of a rogue security solution (Security Essentials 2010) detected as Trojan.FakeAV.KZD
In case of a succesfull download and installation additional modifications are made in the system:
[HKCU\Software\Microsoft\Internet Explorer\PhishingFilter] Enabled = 0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System] DisableTaskMgr = 1
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] smss32.exe = %system%\smss32.exe
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] Security essentials 2010 = %program_files%\Securityessentials2010\SE2010.exe