The following files are present after infection:
The file "desktop.ini" has the following structure, which enables the containing folder to have a deceiving recycle bin type icon:
Another visible symptom is the sudden termination of antiviruses, firewalls or diverse process and file monitoring software.
Please let BitDefender disinfect your files.
The malware creates a hidden folder "%appdata%\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\" where it copies the original malware as "winlogon.exe" and it triggers it's execution.
The original malware executable is afterwards deleted. Two threads are created which try to terminate processes that might impair the virus' activity. Some examples are:
The virus makes use of named mutexes ("fTs0SAP2fZCeUpaog", ...) to check it's in-memory status from different potential concurrent threads.
It also contains protection mechanisms against debugging and virtual machine emulation. The virus writes the memory of "explorer.exe", where it creates a remote thread, which reloads the malware if it's terminated.
The trojan opens a communication port (60500) and attempts to send packages and receive commands from the following IRC hostnames: