Trojan.Opnis.JX

medium

The e-mail messages contain the malware in the attachment. The downloader is approximately 32 kbytes long, and may attempt to download and execute programs from predefined web locations.
In the last 12 hours our virus lab identified several different variants.

This downloader from the Opnis family was found in the attachments of e-mail messages.

When it runs, creates a garbage temporary file and opens it with Notepad. Then copies
itself to the Windows system folder using a randomly choosen filename - for example " bcvohifcvw.exe ".

When executed, it shows a Windows message box with "Update successfuly installed" text.

It creates different registry keys, and entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKLM\Software\Microsoft\Tracing SUCCESS
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

It tries to download and execute a file from the http://www6.rasetikuinyunhderunsa.com/ webpage.

VirusBuster products offer detection and removal with database update 9.46.5 or higher.