by alexander.adamov on May 14th, 2012 in Malware Descriptions.

Platform: Win32
Type: Virus
Size: 176309 bytes
Language: Visual Basic Script


This virus is designed to install a Trojan on the victim machine without the user's knowledge or consent.

Technical Details


The malicious script is used when opening an infected page in the browser. The script extracts a file from its body and saves it to the current user's Windows temporary folder with the following name:


The file is 86016 bytes in size and is a Trojan program.

The virus then launches the file and finishes its work.

Once launched, the Trojan copies the system libraries «ntdll.dll» and «kernel32.dll» to the current user's Windows temporary folder with the following name:


where <rnd> is a random number.

Once all the required information is received, these files are removed.

To detect the default browser, the Trojan then reads the value of the following registry key:


If Google Chrome is set as a default browser, the Trojan launches as a hidden process and injects its code into the address space of its process. If another browser is set as default, the Trojan launches a hidden process called "iexplore.exe".

The code injected by the Trojan searches for all HTML pages available on the user’s PC and infects them by adding a maliciousscript to the end section of those files.

In addition, the Trojan copies its executable file as follows:


where <rnd> – 8 random letters of the Latin alphabet.

To ensure it starts when the compromised machine is rebooted, the Trojan changes a value of the following registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%WinDir%\system32\userinit.exe,,%ProgramFiles%\<rnd>\<rnd>.exe"

In addition, the Trojan interacts with the intruder server using the following network address:


Removal Recommendations

  1. Delete the original virus file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  2. Delete files:
  3. %Temp%\svchost.exe

  4. Change the registry key value to (How to Work with System Registry):
  5. [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit" = "%WinDir%\system32\userinit.exe,,"

  6. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  7. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).