Overall risk rating:

Reported detections:

System  impact:

Information exposure:

Description:

To get a one-glance comprehensive view of the behavior of this spyware, refer to the Behavior Diagram shown below.



Spyware Overview

This spyware arrives as attachment to email messages spammed by another malware or a malicious user. It may be downloaded from remote site(s) by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web site(s).

It drops a copy of itself, a non-malicious batch file and a file detected by Trend Micro as TROJ_AGENT.CWT.

It terminates the initially executed copy and executes the dropped copy. It also executes the dropped file. As a result, malicious routines of the dropped file are exhibited on the affected system.

This spyware creates a registry entry to enable its automatic execution at every system startup. It also creates registry keys and modifies a certain registry entry as part of its installation routine.

It gathers information by searching for certain Protected Storage items. It sends the gathered information to several URLs using HTTP post. This routine risks the exposure of the sensitive information, which may then lead to the unauthorized use of the stolen data.

It also creates a mutex to ensure that only one instance of itself is running in memory. It deletes itself after execution. It also deletes files found in a certain folder under the current user's profile folder.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr 29, 2008