The user directory will contain \Templates\memory.tmp, a copy of the malware and
Local Settings\Application Data\Windows Server\pwfsdy.dll, a DLL that uses the registry value found at
The "pwfsdy" name is not necessarily the same on all versions of the malware.
The malware doesn't infect other files, all files recognized as KATES.AG can be safely deleted, they don't have to be disinfected.
Voicu Hodrea, virus researcher
The file will be moved to \Templates\memory.tmp, where is
the personal directory of the user that runs the malware (e.g. "C:\Documents and Settings\Administrator\").
The original file is deleted.
A DLL file is also dumped: \Local Settings\Application Data\Windows Server\pwfsdy.dll (3KB)
The "Windows Server" subdirectory doesn't usually exist there and is created by the malware.
The file access, creation and write times are replaced with that of the file user32.dll.
The DLL will be executed automatically each time a program is run for the first time because of a registry
key written at SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\AppSecDll.
A registry key called HKEY_CURRENT_USER\SOFTWARE\lbtppwfsdy\lbtppwfsdy will be created with some binary data.
The data in the key is loaded by the DLL and executed. This is the code that executes the malicious instructions.
The malware waits for it to be loaded with one of the recognized browsers (firefox, opera, internet explorer).
When it finds itself running in one of the browsers it hooks functions used for transferring data over an
internet connection. Those hooks will filter the pages the user browses and select the ones that are result pages
from internet search engines (google, yahoo, bing).
When a result page is found the malware will randomly choose to replace the link of the results with an url to
a different site than the one the search engine provided. These sites include fake online antivirus scanners
and sites with pornographic content. The malware also parses the page the user is viewing and it spies on passwords
and other personal information. This personal data is sent to one of the malware's developers' servers.