Selected viruses, spyware, and other threats: sorted alphabetically
Installation
The following files are dropped in the %system% folder:The library is loaded and injected in the following process:openglssd.sys
openglss.dll
The following Registry entries are set:EXPLORER.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"DllName" = "openglss.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"Startup" = "openglss"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"Impersonate" = "1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"Asynchronous" = "1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss]
"MaxWait" = "1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\openglss\nk48id]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"Type" = "1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"Start" = "1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"ErrorControl" = "0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"ImagePath" = "\??\%system%\openglssd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd]
"DisplayName" = "OPENGL technology access"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Enum]
"0" = "Root\LEGACY_OPENGLSSD\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Enum]
"Count" = "1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Enum]
"NextInstance" = "1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\openglssd\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Explorer.EXE" = "%windir%\Explorer.EXE:*:Enabled:explorer"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache]
"Persistent" = "0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OPENGLSSD\0000\Control]
Information stealing
The trojan collects passwords used to access the following site:The trojan can send the information to a remote machine.https://www.e-gold.com
Other information
The trojan blocks access to the following sites:avp.ch
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
avp.com
avp.ru
awaps.net
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
updates1.kaspersky-labs.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
virustotal.com
updates3.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.kaspersky.ru
d-ru-1f.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
rads.mcafee.com
d-eu-2f.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
kaspersky.ru
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
