Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the trojan copies itself in the %temp% folder using the following filename:
The following file is dropped:winlogon.exe
Code of the trojan is injected in running processes. In order to be executed on every system start, the trojan sets the following Registry entry:system.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Firewall auto setup" = "%temp%\winlogon.exe"
The following Registry entries are set:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\host
HKET_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\host
The trojan modifies executables referenced by the following Registry entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The following file is deleted:
%system%\drivers\etc\hosts
Other information
The trojan sends e-mail messages according to instructions downloaded from the Internet.
The trojan hides its presence in the system. It uses techniques common for rootkits.
The trojan opens TCP port 80.
