Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the %system% folder using the following filename:
A string with variable content is used instead of %variable%.
In order to be executed on every system start, the trojan modifies the following Registry keys:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run]
"Windows Layer" = "%system%\%variable%.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices]
"Windows Layer" = "%system%\%variable%.exe"
Other information
The trojan is sent data and commands from a remote computer or the Internet.
The trojan connects to the following addresses:
The IRC protocol is used.
It can execute the following operations:
- send the list of disk devices and their type to a remote computer
- download files from a remote computer and/or Internet
- spread via shared folders and P2P networks
- sending various information about the infected computer
- collect information about the operating system used
- connect to remote computers to a specific port
- send the list of disk devices and their type to a remote computer
- download files from a remote computer and/or Internet
- spread via shared folders and P2P networks
- sending various information about the infected computer
- collect information about the operating system used
- connect to remote computers to a specific port
- stop itself for a certain time period
- obtain the list of shared network folders
- capture webcam video/voice
- capture screenshots
- send files to a remote computer
- retrieve the CPU information
- redirect traffic
- monitor network traffic
- spread via IM networks
- log keystrokes
- terminate running processes
- run executable files
- shut down/restart the computer
- perform port scanning
- open a specific URL address
- perform DoS/DDoS attacks
- update itself to a newer version
- delete folders
- create folders
- move files
- delete files
- open ports
