executed, the malware first ensures it will be launched on every system startup
by changing several registry keys.
If will include
itself in the windows firewall to seem more unobtrusive. Malware writers don’t
want their victims to know of their presence.
then drop a rootkit into %windir%system32driversoqmihn.sys which will try to
kill several security suites. It will also change some registry keys associated
with these malware to disable their services. It also disables Taskmanager and
the Registry Editor.
drops and launches a keylogger into %windir%system3228463svchost.exe and is
detected as Trojan.Keylog.Ardamax.NAL.
tries to connect to several URLs, which were unavailable at the time of
spreads using removable drives or can be downloaded from several websites.
it will create a copy of itself in %windir%system32explorer.exe. If this copy
is executed, it will open the real explorer.exe and continue its evil
search for a file called wscft.exe located in the same folder from which it has
been launched from. If the file is found, it will be copied to
%windir%system32 as well.
also changes several registry keys to ensure it is being loaded at system
will periodically search for onlinegames related applications running on the
cumputer and terminate them. The targeted games are: Warcraft III,
Counter-Strike, NFS Underground 2, Crazy Arcade, O2-JAM, PopKart Client,
YB_OnlineClient, legend of mir2, CTRacer Client, Audition, Fly for Fun, Online,
In order to
further disguise itself it will use the version information of the legitimate
explorer.exe from the infected system.
in this article is available courtesy of BitDefender virus researchers: Dana
Stanut and Ovidiu Visoiu