It copies itself to the following folders:
C:\Documents and Settings\<user name>\userinit.exe
and
C:\WINDOWS\system32\ntdevice.exe
it runs ntdevice.exe as a new process.
In the folder below:
C:\Documents and Settings\<felhasználó neve>
it creates the following file:
pizda_ntload.dll
this is a trojan program, it is detected as Trojan.DR.Agent2!V4Za4BhIM3U
Under the following registration key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
it creates the following entry:
"C:\WINDOWS\system32\ntdevice.exe"
Under the following registration key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
it creates the following entry:
"C:\Documents and Settings\Felhasználó neve\userinit.exe"
Under the following registration key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
it creates the following entry:
"explorer.exe C:\WINDOWS\system32\ntdevice.exe"
The created files are hidden, Internet Explorer doesn't show them. The malware sets the date of his own files to that date, when the operating system was installed.
It connects to a remote location:
blader4.co.cc
|
Low