This Trojan arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
   Upon execution,it modifies the following registry entry to enable its automatic execution and disables Task Manager.It searches for anti-virus processes,sends the information of the affected machine to remote host,pops the warning that levys a ransom on user.

It terminates itself once found the folllowing processes in the affected system.

• gcasServ.exe 
• SpybotSD.exe 
• Ad-Aware.exe
• sunasServ.exe
• spysweeper.exe
• PPActiveDetection.exe
• msscli.exe
• Tmas.exe
• swdoctor.exe
• spycatcher.exe
• avp.exe
• ekrn.exe
• avguard.exe
• dwengine.exe

It modifies the following registry entry to enable its automatic execution at system reboot:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 

•         Userinit = "%System%\userinit.exe, %CurrentPath%\Currentname.exe,"

It creates the following registry entry to disable Task Manager
   HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\System

•      DisableTaskMgr = 00000001

 HKEY_USERS\S-1-5-21-1275210071-299502267-725345543-1003\Software\Microsoft\Windows\Currentversion\Policies\System

•       DisableTaskMgr = 00000001

It connects to following address to send the information of the affected host.

• http://94.102.51.150/preinstall?r=21&id={ID}&a=0&checksum=Number

It pops the warning that levy a ransom on user.

main points：

        It requirs the user to pay for online-porn-vedio-service,and it declares: Any fail to pay or knowing attempt to defraud will damage your computer and information.

This spyware is Anchiva's detection for a certain DLL file that is dropped by Spyware/Onlinegames variant.
It is also launched by infected system DLL in the infected system,then steals the user login info and sends them to a remote user via HTTPpost.

This spyware is Anchiva's detection for a certain DLL file that is dropped by Spyware/Onlinegames variant.
It is also launched by infected system DLL(mostly is dsound.dll) in the infected system.
It can reads the game directory("user\uicommon.ini") to get configuration info and steals JXSJ's login-info and then sends them to a remote user via HTTP post.

This malware arrives as a dropped file of another malware. It can also be downloaded by user by visting malicious websites.
It downloads other malware into the affected system and execute it.

Upon execution,It randomly traverse the following URL list to download a malware and save it as %system32%\{random string}.exe(It also detected as Trojan/Encrypt.21DD by ANCHIVA) and execute it.

• http://www.52{BLOCKED}.cn/sports/image.jpg
• http://www.52{BLOCKED}.cn/news/image.jpg
• http://www.52{BLOCKED}.cn/files/image.jpg
• http://www.52{BLOCKED}.cn/nba//image.jpg

 This worm mainly propagates via removalbe drives,it may also be downloaded by other malwares or unsuspecting users.
 It opens random TCP ports to connect to an Internet Relay Chat (IRC) server and joins an IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine to perform some tasks. 
 It also infects removable drives and hard disk drives.

 It injects dll to iexplorer.exe,and copies itself as follow name:
  %ProgramFiles%\Internet Explorer\svchost.exe
 
 It creates the following registry entries to enable its automatic execution at system reboot:
 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "system32.exe"="%USERPROFILE%\Application Data\Microsoft\system32.exe"
 
 It also drops "Autorun.inf" and a copy of itself to the removable drive and hard disk drives.
 
 It opens random TCP ports to connect to an Internet Relay Chat (IRC) server and joins an IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine to perform some tasks. 
 

This Trojan arrives in the affected system as a dropped or downloaded file by other malwares or unsuspecting users.

It copies itself into the system and registers itself in the Windows startup.

It makes contact with the resident Internet connection by opening a pre-specified TCP port. This action enables backdoor access to a remote hacker.

In addition to opening a backdoor, it also is a keylogger,it monitors user's input-information and saves them,then sends the sensitive infomation to the attacker via http post.

This Trojan arrives in the affected system as a dropped or downloaded file by other malwares or unsuspecting users.

Upon execution,It drops following files:

• %AppData%\addons.dat  - backdoor files
• %Program Files%\Bifrost\logg.dat - keylogger files
• %Program Files%\Bifrost\server.exe - copy of itself

It creates follow registry entry to enable its automatic run:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9D71D88C-C598-4935-C5D1-43AA4DB90836} 
  • stubpath=%Program Files%\Bifrost\server.exe s

It also creates follow registry entries related to backdoor and keylogger:

• HKEY_CURRENT_USER\Software\Bifrost
  • klg="hex:01,"
• HKEY_CURRENT_USER\Software\Bifrost 
  • plg1="hex:ea,44,dc,02,a3,27,{...},3a,d8,5a,8f,41,"
• HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost 
  • nck="hex:ed,1b,e6,27,b9,28,d6,32,74,c3,cd,74,fa,93,5b,67, "
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo 
  • ""=""
• HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1003\Software\Bifrost 
  • klg="hex:01,"
• HKEY_USERS\S-1-5-21-1390067357-1935655697-839522115-1003\Software\Bifrost 
  • plg1="hex:ea,44,dc,02,a3,27,{...},3a,d8,5a,8f,41,"

It makes contact with the resident Internet connection by opening a pre-specified TCP port. This action enables backdoor access to a remote hacker.
In addition to opening a backdoor, it also is a keylogger,it monitors user's input-information and saves them,then sends the sensitive infomationto the attacker via follow address.

• moooon15.no-ip.biz:{pre-specified TCP port}

      This Trojan arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
      Upon execution,it copys the system file %system%\sfc_os.dll to %systemroot%\my_sfc_os.dll,and invokes fcFileException function(unnamed API at oridinal 5) to disable WFP(Windows File Protection).Then renames the system file %system%\comres.dll as %system%\hunsa4.dll,drops a new file %Windows%\comres.dll which to enable this malicious dll component can automatic run at every system reboot.It also kills the process qq.exe.
      The new comres.dll steals some onlinegames-relative account,password and other sensitive information,then it sends the gained information to special Email address via specified links.It also downloads other file.

It copys the system file %system%\sfc_os.dll to %systemroot%\my_sfc_os.dll,and invokes fcFileException function(unnamed API at oridinal 5) to disable WFP(Windows File Protection).Then renames the system file %system%\comres.dll as %system%\hunsa4.dll,deletes the file %System%\dllcache\comres.dll,drops a new file %Windows%\comres.dll.

•   %System%\hunsa4.dll            --the original comres.dll 
•   %Windows%\comres.dll           --detected by Anchiva as Spyware/OnLineGames.AABC
•   %Windows%\my_sfc_os.dll        --the copy of sfc_os.dll
•   %System%\dllcache\comres.dll   --deleted         
•   %Windows%\hpig_WS2.dat         --used to save the Configuration Information   

The malicious dll steals the following onlinegames-relative account,password and other sensitive information:

• qq.exe
• asdegame.exe
• glworld.exe
• QQLogin.exe

The malicious dll sends the gained information to special Email via the following links.

• http://fw98.com/2010/qq/mail.asp?tomail=hehe@163.com&mailbody=
• http://fw98.com/2010/lz/mail.asp?tomail=hehe@163.com&mailbody=
• http://fw98.com/2010/bf/mail.asp?tomail=hehe@163.com&mailbody=
• http://fw98.com/2010/dnf/mail.asp?tomail=hehe@163.com&mailbody=
• http://www.xxx.com/qq070809/mail.asp?tomail=xxx@163.com&mailbody=

The malicious dll connects to following address to download files.
     jy74.cn/t2/houmen/rows.exe
when this writting ,the said addresses are already unavailable.

This exploit drops a malware onto the affected system. It is usually delivered via email attachments, as a component of targeted attacks. When unsuspecting user opens such mal-crafted documents, sensitive information maybe in danger of loss. It is also possible to install certain backdoors, and being controlled by the remote attacker.

Upon execution, it leverages certain vulnerabilities of Microsoft Office to execute arbitrary code, usually download or drop other malware.

• %TEMP%/svchost.exe - Detected by Anchiva as Trojan/Buzus.1AE8

        This Spyware arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users,or junk email's attachment.
        It drops a copy of itself in the Windows system folder and creates a folder with attributes set to System and Hidden to prevent users from discovering and removing its components. It modifies a registry entry to enable its automatic execution at every system reboot. It also injects itself into processes as part of its memory residency routine.This Spyware attempts to access a Web site to download file.It maybe steal sensitive online banking information.

It checks for the following processes which are related to Outpost Personal Firewall and ZoneLabs Firewall Client:

• outpost.exe
• zlclient.exe

It creates a copy of itself into %System%\sdra64.exe and add some garbage at the end of it in order to have a different md5 hash thus trying to avoid av detection.

•     %System%\sdra64.exe

It will then create the following folder and files with attributes set to System and Hidden to prevent users from discovering and removing its components:

• %System%\lowsec          -folder
• %System%\lowsec\local.ds
• %System%\lowsec\user.ds  - used to save the gathered information

It hooks API NtQueryDirectoryFile function to hide the files given above.
It trys to inject itself into the all processes as part of its memory residency routine except for csrss.exe processe.
It modifies the following registry entry to enable its automatic execution at system reboot:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 

•         Userinit = "%System%\userinit.exe, %System%\sdra64.exe,"

It also creates the following registry entry as part of its installation routine:
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network 

•         UID = "{Computer name}_{Random numbers}"

It also creates the following registry entry to disable Windows Firewall:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile 

•        EnableFirewall = "0"

It connects to following address to download files.
     http://symyho3393245.cn/tmp.dat
when this writting ,the said addresses are already unavailable.

 This trojan arrives in the affected system as downloaded file by other malwares or unsuspecting users.It may also be distributes by Email as attachment.
 It downloads other malwares to the affected system.

 Upon execution,It downloads malwares via follow urls and launch them.
 http://95.143.192.38/pr/pic/main.exe
  http://195.88.190.44/pr/pic/main.exe
  http://195.88.190.44/pr/pic/fixer_sdgareh_b.exe
  http://95.143.192.38/pr/pic/fixer_sdgareh_b.exe

  The downloaded malwares were always fake Antivirus.

This trojan is a variant of the Trojan/HTML.IFrame family. It is hosted by malicious site, and usualy be delivered to the affected system as componet of drive-by-download attack. A hidden iframe is embedded in the malicious file, which leads to a bunch of other malicious scripts, further downloads other malware.

Upon execution, it first checks if certain security related softwares have been installed, and loads malicious script or redirects to blank page accordingly. This check lists are as follows:

• res://C:\\Program%20Files\\360\\360Safe\\360hotfix.exe/GIF/172
• res://D:\\program%20files\\360safe\\360hotfix.exe/GIF/172
• res://C:\\program%20files\\360safe\\360hotfix.exe/GIF/172
• res://D:\\Program%20Files\\360\\360Safe\\360hotfix.exe/GIF/172
• res://e:\\Program%20Files\\360\\360Safe\\360hotfix.exe/GIF/172
• res://f:\\Program%20Files\\360\\360Safe\\360hotfix.exe/GIF/172
• res://C:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123
• res://D:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123
• res://e:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123
• res://f:\\Program%20Files\\Rising\\Rav\\rssafety.exe/PNG/123
• res://C:\\program%20files\\360safe\\360Safe.exe/GIF/172
• res://D:\\program%20files\\360safe\\360Safe.exe/GIF/172
• res://E:\\program%20files\\360safe\\360Safe.exe/GIF/172
• res://F:\\program%20files\\360safe\\360Safe.exe/GIF/172
• res://C:\\program%20files\\360\\360safe\\360Safe.exe/GIF/172
• res://D:\\program%20files\\360\\360safe\\360Safe.exe/GIF/172
• res://E:\\program%20files\\360\\360safe\\360Safe.exe/GIF/172
• res://F:\\program%20files\\360\\360safe\\360Safe.exe/GIF/172

This malware arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.
Upon execution,it drops a script file and launch it,then drops lots of Website url linkings to the Favorites Folder, and modifies the start page through replacing "Internet Explorer" in desktop and Quick Launch.

Upon execution，it drops following script file and launch it via cscript.exe:

• c:\y2.jse - detected by anchiva as Trojan/StartPage.1D43

The script file drops lots of Website url linkings to the Favorites folder:

• C:\Documents and Settings\User Name\Favorites\绿色下载站.url
• C:\Documents and Settings\User Name\Favorites\三只涨停黑马股票推荐.url
• C:\Documents and Settings\User Name\Favorites\淘宝特卖.url  
• C:\Documents and Settings\User Name\Favorites\网络赚钱宝典.url
• C:\Documents and Settings\User Name\Favorites\最实用的减肥丰胸方法大全.url
• C:\Documents and Settings\User Name\Favorites\链接\绿色下载站.url
• C:\Documents and Settings\User Name\Favorites\链接\三只涨停黑马股票推荐.url
• C:\Documents and Settings\User Name\Favorites\链接\淘宝特卖.url  
• C:\Documents and Settings\User Name\Favorites\链接\网络赚钱宝典.url
• C:\Documents and Settings\User Name\Favorites\链接\最实用的减肥丰胸方法大全.url

also drops following files:

• C:\Documents and Settings\User Name\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.ywk -replacing "Internet Explorer" in Quick Launch
• C:\Documents and Settings\User Name\桌面\Internet Explorer.ywk -replacing "Internet Explorer" in Desktop
• C:\Documents and Settings\User Name\桌面\淘宝特卖.ywk
• C:\Documents and Settings\User Name\[开始]菜单\程序\启动\y2.jse - copy of itself

 This trojan arrives in the affected system as downloaded file by other malwares or unsuspecting users.
 It drops components to system,closes processes of Antivirus,and downloads other malwares.

 It drops follow components to system:
 %windir%/jiocs.dll--detected by Anchiva as Backdoor/Inject.72E5
 %temp%/78767551--detected by Anchiva as Rootkit/Agent.4F6E
 %temp%/{random}.dll--detected by Anchiva as Spyware/RunMalware.633F
 
 It download malware list via http://www.l63.ln.cn/1128.txt as follow name.
 %windir%\sadfasdf.jpg
 
 It get malware URL from the list,continue with downloading and runing the malware.
 
 It close follow processes of Antivirus:
 safeboxTray.exe
 360tray.exe
 psapi.dll
 kavstart.exe
 kissvc.exe
 kmailmon.exe
 kpfw32.exe
 kpfwsvc.exe
 kwatch.exe
 ccenter.exe
 ras.exe
 rstray.exe
 rsagent.exe
 ravtask.exe
 ravstub.exe
 ravmon.exe
 ravmond.exe
 avp.exe
 360safebox.exe
 360Safe.exe
 rfwmain.exe
 rfwstub.exe
 rfwsrv.exe

This trojan is a variant of the family Trojan/HTML.IFrame. It is a component of drive-by-download attack toolkits, mostly hosted by malicious site. When unsuspecting user visits certain infected web page, other malwares will be downloaded without user consent, leading to further system compromise.

It contains a bunch of hidden iframes, pointing to other remote malicious JavaScripts, which usually leverage certain vulnerabilities of operating system or 3rd party software components to execute arbitrary code. It first check where the visitor comes from via the refer, and load other malicious script accordingly. Those malicious urls are blocked by Anchiva's Malicious Site as well.

This worm may be dropped by other malware. It may arrive via network shares. It may be downloaded unknowingly by a user when visiting malicious web sites.

It opens random TCP ports to connect to an Internet Relay Chat (IRC) server and joins an IRC channel. Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine to perform some tasks such as DDOS.

It opens random TCP ports to connect to an Internet Relay Chat (IRC) server:

• irc.bifferent.net

Port:6667
Channel:#starttrouble
Nick:Acolyte_{random letter}

Once connected, it acts as a backdoor that allows a remote malicious user to issue commands locally on an affected machine.The commands listed following:

• !UPTIME
• !RECONNECT
• !OPEN
• !DELETE
• !RAW
• !DDOSICMP
• !DDOSUDP
• !DDOSSYN
• !DDOSSTOP

This malware arrives as a dropped file of another malware. It can also be downloaded by user by visting malicious websites.
It downloads other malwares into the affected system and then runs them. 

Upon execution,It downloads two malwares from following urls and save it as "c:\1.exe" and .Then launch them.

• 195.88.190.36/pr/pic/fixer_sdgareh_b.exe(%windows%/Temp/_ex-68.exe) detect as Trojan/FakeAv.3403
• 83.133.122.160/pr/pic/fixer_sdgareh_b.exe(%windows%/Temp/_ex-68.exe) detect as Trojan/FakeAv.3403
• 195.88.190.36/pr/pic/sys.exe(%windows%/Temp/_ex-08.exe) detect as Trojan/Downloader.F743
• 83.133.122.160/pr/pic/sys.exe(%windows%/Temp/_ex-08.exe) detect as Trojan/Downloader.F743

This exploit leverages certain vulnerabilities of Internet Explorer to execute arbitrary remote code. It is usually hosted by malicious site, delivered by drive-by-download attacks. When unsuspecting user visits such infected web page, other malware will be downloaded and leading to further system compromise.

Upon execution, it takes advantage of an Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 to execute arbitrary remote code, usually download other malware.

• MS10-002
• CVE-2010-0249

   This backdoor arrives in the affected system as E-mail attachment,it may also be downloaded by other malwares or unsuspecting users.
   Upon execution,it closes system service,downloads other malware,get remote instructions to control local computer.
   It also sends malicious E-mail.

   It copies itself as name of %windir%\System\csrss.exe
   
   It creates the following registry entries to enable its automatic execution at system reboot:
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "system32.exe"="%USERPROFILE%\Application Data\Microsoft\system32.exe"
  
  It closes systems security service,and creates follow registry to enable its access to internet.
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
   C:\WINDOWS\System\csrss.exe="%windir%\System\csrss.exe:*:Enabled:Microsoft Update" 
  
   It downloads other malware via follow URL:
   http://upseek.org/u/upd_0003.exe
  
   It connects to one of follow IRC servers,and gets instructions to control local computer.
  ad.fonarez.com:1021
  ad.dartonfire.com:1088
  php.gondatme.com:5190  
  
  It get download URL from IRC backdoor,and downloads E-mail content,and then sends to specified receivers.

This worm arrives as attachment to email messages spammed by another malware or a malicious user,it also Propagates via peer-to-peer networks. It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.It drops other malicious component to system directory and creates registry key(s) as part of its installation routine.
It drops copies of itself in folders used in peer-to-peer networks. It uses attractive file names for its dropped copies. It sends junk email and uses the copy of itself as attachment and induce user to open it.

This worm arrives as attachment to email messages spammed by another malware or a malicious user.The content of email has some different forms.We get one of them and place a snapshot of these emails here,take a look:

it harvests email adresses from file using the following extention in the affected system:

•  txt
•  htm
•  xml
•  php
•  asp
•  dbx
•  log
•  nfo
•  lst
•  rtf
•  xml
•  wpd
•  wps
•  xls
•  doc
•  wab

and it dont send the email to the address with following strings:

• berkeley
• mit.e
• ibm.com
• debian
• kernel
• linux
• usenet
• rfc-ed
• sendmail
• arin.
• sun.com
• isi.e
• isc.o
• secur
• acketst
• apache
• tanford.e
• utgers.ed
• mozilla
• firefox
• redhat
• sourceforge
• slashdot
• samba
• cisco
• syman
• panda
• avira
• f-secure
• ERS\flp
• sopho
• www.ca.com
• ahnlab
• novirusthanks
• prevx
• drweb
• bitdefender
• clamav
• eset.com
• ikarus
• mcafee
• kaspersky
• virusbuster
• badware
• immunityinc.com
• avg.comsysinternals
• borlan
• inpris
• lavasoft
• jgsoft
• ghisler.com
• wireshark
• winpcap
• acdnet.com
• acdsystems.com
• acd-group
• bpsoft.com
• 2\DRI
• buyrar.com
• bluewin.ch
• quebecor.com
• alcatel-lucent.com
• ssh.com
• winamp
• nullsoft.org
• example
• mydomai
• nodomai
• ruslis
• virus
• messagelabs
• honeynet
• honeypot
• security
• idefense
• qualys
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• rating
• contact
• somebody
• privacy
• service
• submit
• sales
• gold-certs
• the.bat
• admin
• icrosoft
• support
• ntivi
• linux
• listserv
• certific
• security
• ot\Syst
• secur
• abuse

and the email address of the sender also can be the following:

• e-cards@hallmark.com
• invitations@twitter.com
• invitations@hi5.com
• order-update@amazon.com
• resume-thanks@google.com

and the subject of the email may like following:
 

• You have received A Hallmark E-Card!
• Your friend invited you to twitter!
• Jessica would like to be your friend on hi5!
• Shipping update for your Amazon.com order 254-71546325-658732
• Thank you from Google!

and the email message may be like any of following:
 

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.
Hope to see you soon,Your friends at Hallmark.

be your friend on hi5!  I set up a hi5 profile and I want to add you as a friend so we can share pictures and start building our network.
First see your invitation card I attached! Once you join, you will have a chance to create a profile, share pictures, and find friends.

Shipping update for your Amazon.com order 254-78546325-658742.Please check the attachment and confirm your shipping details.

selected and others that may be a fit. Should there be a suitable match, we will be sure to get in touch with you. Click on the attached file to review your submitted application.Have fun and thanks again for applying to Google!

and the file name of the attachment may be like following:

• Postcard
• Invitation Card
• Shipping documents
• CV-20100120-112

This worm creates the following folders:

C:\Documents and Settings\{username}\Application Data\SystemProc
It drops the following copy of itself:

• %System%\GoogleUpdate.exe

It drops the following file:

• %System%\stacsv.exe - it detected by anchiva as:Worm/SPYBOT.2440@mm
• %Windows%\bootstat.ocx -none malicious file where save the keypress and the name running processes
• C:\Documents and Settings\{username}\Application Data\SystemProc\lsass.exe - also detected as Worm/SPYBOT.2440@mm

It adds the following keys as part of its installation routine:

• HKEY_CURRENT_USER\Software\Microsoft\Google1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4207UWF4-IXEP-UTPF-2TDE-6606643L1T10}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Google1

This worm creates the following registry entries to enable its automatic execution at every system startup:
 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Sun Java Updater = "%System%\stacsv.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Google Update = "%System%\GoogleUpdate.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sun Java Updater = "%System%\stacsv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4207UWF4-IXEP-UTPF-2TDE-6606643L1T10}
StubPath = "%System%\stacsv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
RTHDBPL = "C:\Documents and Settings\{username}\Application Data\SystemProc\lsass.exe"

This worm drops copies of itself in the following peer-to-peer shared folders:
 

• C:\program files\bearshare\shared\
• C:\program files\edonkey2000\incoming\
• C:\program files\emule\incoming\
• C:\program files\grokster\my grokster\
• C:\program files\icq\shared folder\
• C:\program files\kazaa lite k++\my shared folder\
• C:\program files\kazaa lite\my shared folder\
• C:\program files\kazaa\my shared folder\
• C:\program files\limewire\shared\
• C:\program files\morpheus\my shared folder\
• C:\program files\tesla\files\
• C:\program files\winmx\shared\

It uses the following file names for its dropped copies:

• AOL Instant Messenger (AIM) Hacker.exe
• AOL Password Cracker.exe
• Brutus FTP Cracker.exe
• Counter-Strike KeyGen.exe
• DCOM Exploit.exe
• DivX 5.0 Pro KeyGen.exe
• FTP Cracker.exe
• Half-Life 2 Downloader.exe
• Hotmail Cracker.exe
• Hotmail Hacker.exe
• ICQ Hacker.exe
• IP Nuker.exe
• Keylogger.exe
• L0pht 4.0 Windows Password Cracker.exe
• Microsoft Visual Basic KeyGen.exe
• Microsoft Visual C++ KeyGen.exe
• Microsoft Visual Studio KeyGen.exe
• MSN Password Cracker.exe
• NetBIOS Cracker.exe
• NetBIOS Hacker.exe
• Norton Anti-Virus 2005 Enterprise Crack.exe
• Password Cracker.exe
• sdbot with NetBIOS Spread.exe
• Sub7 2.3 Private.exe
• UT 2003 KeyGen.exe
• Website Hacker.exe
• Windows 2003 Advanced Server KeyGen.exe
• Windows Password Cracker.exe

This worm drops copies of itself in all removable drives,and the content of the said AUTORUN.inf file like following strings:
[autorun]
open=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-6-21-2434476521-1645641927-702000330-1542\redmond.exe
shell\open\default=1

    This Trojan arrives in the affected system as dropped or downloaded file by other malwares or unsuspecting users.It may also arrive via infected removable drives.
     Upon execution,This Trojan creates a folder named "Microsoft Common" and copys itself into it,and spreads itself with autorun.inf file via removable drives.In addition,it injects its code into processes svchost.exe and explorer.exe.Then the infected process explorer.exe will delete itself,and the infected process svchost.exe will connect to remote host,post sensitive information, acquire commands which will lead to complete the relevant operations.

Unpon execution,This Trojan creates a folder named "Microsoft Common" and copys itself into it:

•    %Program File%\Microsoft Common\svchost.exe

It creates the following registry entry to enable its automatic run at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe  

•   Debugger = %Program File%\Microsoft Common\svchost.exe

If a new removable drive is connected to an infected system, the malware will create a copy of itself to removable drives along with an autostart.inf which may lead to automatic execution of the dropped file upon the disk's access.

It injects its code into processes svchost.exe.Then the infected process svchost.exe will connect to remote host,post sensitive information(OS ProductId),acquire commands which will lead to complete the relevant operations.
The command such as：

• [number]|OS-ProductId.[options].[parameter]

number:
       It may be index of the OS-ProductId or affected machine 
options:
      d:download and launch file,[parameter] is the download address 
      w:Wait,[parameter] is the time for wait  
      x:download and launch file,[parameter] is the download address

when this writting ,it will connect to following address to download and launch malicious file
   http://109.{block}.115.34/ee/ltr1.exe   --- detect as Spyware/Zbot.4615 by Anchiva

This worm may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.

It drops some files in the Windows system folder and it will create some registry entries to enable its automatic execution at every system startup.

It captures lots of user's sensitive information and send them to a appointed URL.

Upon execution it will drop the following files:

• %system32%\msswmsjt.exe - copy of itself
• %system32%\cdfvmydo.exe - detected by anchiva as Worm/Warezov.492C@mm
• %system32%\e1.dll - detected by anchiva as Worm/Warezov.6A9A@mm
• %system32%\msyunv4_.dll - detected by anchiva as Worm/Warezov.F862@mm
• %system32%\ntmsdisp.dll - detected by anchiva as Worm/Warezov.AFE1@mm

It creates or modifies the following registry entry so that it runs every time Windows starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • msswmsjt="%system32%\msswmsjt.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • AppInit_DLLs=" ntmsdisp.dll e1.dll"

It terminates certain services related to the following Firewall:

• ZoneAlarm
• Sygate Personal Firewall
• SharedAccess
• Symantec Internet Security
• Agnitum Outpost Firewall
• McAfee Personal Firewall
• kerio winroute firewall

It injects e1.dll into following process to terminates related service.

• tbmon
• spiderml
• autodown
• mcupdate
• nod32krn
• wuauclt1
• upgrader
• avgupsvc
• drwebupw
• explorer
• avginet
• wupdmgr
• wuauclt
• kavsv
• kav

It downloads and executes unknown malware from the following website:

• post{blocked}rds-3.com/bt1308.exe

It captures lots of user's sensitive information and send them to a appointed URL.

• postcards-3.com