Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

This spyware usually arrives as a file dropped by other malware or as a file downloaded unknowingly by a user when visiting malicious Web sites. Its icon resembles that of a .ZIP file in an attempt to trick users into thinking it is a normal .ZIP file.

Upon execution, it displays the following image file:

It then proceeds to delete files with certain file name extensions in all folders of the affected system.

It also drops the following image files in the same folder where it executes:

It uses the file name of certain deleted files for the dropped image files.

It creates a certain folder in the root folder (usually C:\). It then creates certain files in the said folder.

It executes a particular command and stores the output in the .TXT files that it creates.

Moreover, it creates another folder using a certain format. The said folder is created in a particular File Transfer Protocol (FTP) site, using a particular user account.

It then uploads the created files to the said folder.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb 26, 2007