A Trojan designed to perform web injections, steal passwords stored by popular FTP clients, and intercept email addresses and data entered in various forms. It is distributed via mass mailings.
The Trojan replicates itself to WINDOWS\System32\(Filename). The copy name contains one of the following values (or their combination together with a number of random characters): win, video, def, mem, dns, setup, user, logon, hlp, mixer, pack, mon, srv, exec, play.
The malware modifies the following registry branch:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger --> (Filename)
Data is stored in the following branch:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\(Random 8-character-value)\Default
The malware injects its malicious code into the following processes:
winlogon.exe, svchost.exe, explorer.exe, msmsgs.exe, iexplore.exe, firefox.exe, myie.exe, avant.exe, mozilla.exe, maxthon.exe, opera.exe, navigator.exe, safari.exe, chrome.exe, thebat.exe, outlook.exe, msimn.exe, ftpte.exe, coreftp.exe, filezilla.exe, totalcmd.exe, cftp.exe, FTPVoyager.exe, SmartFTP.exe, WinSCP.exe.
The Trojan gathers computer-related information and sends it to remote servers. From those servers, the malicious program receives various commands and data to perform web injections.