A backdoor that replicates itself to %Temp%\rundll_.exe and registers itself with the rundll_ name in the following registry branch:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunThen the malware checks the presence of its copy via a mutex.
In a temporary folder, the backdoor creates several additional files that it uses while operating:
- rundll_.nolog—if this file is missing after the Trojan is launched, the malware creates it; the file is used to determine whether the malicious program needs to log events or not;
- rundll_.log—the Trojan logs events into this file if rundll_.nolog is missing after the malware is launched;
- rundll_.exe—the file to which the Trojan replicates itself;
- rundll_.bat—the executable file created automatically to copy the Trojan to rundll_.exe;
- rundll_twain64.dll—a REG file containing commands to save data to the system registry branch responsible for autorun;
- rundll_dll.sid—the file is used to store the computer's unique identifier (SID); SID looks as follows: nnn550.rrr, where nnn indicates the decimal representation of the volume serial number, the 550 number is hard-coded in the Trojan's body, and rrr indicates 16 random lowercase Latin characters from the a–w range (22 characters);
- rundll_dll.dll—the file with the command and control server address.
The Trojan can execute the following commands:
- SERVADDR—set a new command and control server address
- GETKILL—kill its own process
- USE_TEMP—set a new working folder
- USE_AP
- GETRESTART—restart
- GETRUN
- GETTASKS
- GETDISKS
- GETURL
- GETDIR
- NGETFILE
- FTPFILE
- MYGETFILE
- WEBCAMLIST
- WEBCAMSTART
- JPGQUALITY
- SCREEN—take a screenshot and send it
- TIMER