Symptoms

Removal instructions:

Analyzed By

Technical Description:

Has Adware functionality.
When launched, copies itself to %WINDIR%\System32 under a random name and registers this file in the system registry to ensure  that the file will be launched each time Windows is rebooted.

Downloads a file from a preconfigured location an executes it.
Injects code into another process in order to restart itself if it is terminated.

It is able to update itself over the Internet

The Trojan will synchronize itself with the following NTP servers in order to check the time
    clock.fmt.he.net
    dewey.lib.ci.phoenix.az.us
    decimal.lib.ci.phoenix.az.us
    time.alcanet.no
    fartein.ifi.uio.no
    ntp1.theinternetone.net
    ntp.doubleukay.com
    ntp.ewha.net
    ntps.net4u.it
    ntp.maths.tcd.ie
    ntp.mfa.gr
    ntp.via.ecp.fr
    ntp.univ-lyon1.fr
    ntp2.tuxfamily.net
    ntp1.tuxfamily.net
    ntp.tuxfamily.net
    ntp.obspm.fr
    tock.keso.fi
    tick.keso.fi
    hora.oxixares.com
    tick.fh-augsburg.de
    tack.fh-augsburg.de
    ntp2.contactel.cz
    ntp1.contactel.cz
    ntp.karpo.cz
    ntp.globe.cz
    ntp.cgi.cz
    tock.utoronto.ca
    timelord.uregina.ca
    time.nrc.ca
    time.chu.nrc.ca
    tick.utoronto.ca
    ntp1.cmc.ec.gc.ca
    ntp.cpsc.ucalgary.ca
    ntp1.pucpr.br
    ntp.ufes.br
    ntp.pop-pr.rnp.br
    ntp.massayonet.com.br
    ntp.hiway.com.br
    ntp.cais.rnp.br
    ntp2.belbone.be
    ntp1.belbone.be
    tock.nap.com.ar
    time.sinectis.com.ar
    tick.nap.com.ar
    ntp.saard.net
    ntp.ucsd.edu


Contains strings
    callinghome.biz
    OfferDrv-{F395B5B4-1837-4e79-AD7B-7287043E4DBC}

It tracks user actions an harvests a range of information.