Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the trojan copies itself in the %windir% folder using one of the following filenames:
svchost.exe
service32.exe
Another file is dropped in the same folder. Its filename may be one of the following:
scrss32.dll
spoolsv32.dll
syshost.dll
syst32.dll
Size of the file is approximately 5 kB.
In order to be executed on every system start, the trojan modifies the following Registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
The entry added contains path to trojan executable.
Other information
The trojan contains a list of URLs. It opens these using the Explorer.
The trojan may attempt to hide its presence in the system by modifying several functions of the following library:
ntdll.dll
