Win32/Neurevt [Threat Name] go to Threat

Win32/Neurevt.I [Threat Variant Name]

Category trojan
Size 266205 B
Detection created Apr 24, 2015
Signature database version 11530
Aliases Trojan-Ransom.NSIS.Onion.je (Kaspersky)
  Trojan:Win32/Skeeyah!bit (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. It uses techniques common for rootkits.

Installation

When executed, the trojan copies itself into the following location:

  • %commonprogramfiles%\­Windows Search 5.3.10\­aywa539e.exe

The trojan creates the following files:

  • %temp%\­%variable%\­stripers.dll (54118 B, Win32/Injector.CAXO)
  • %appdata%\­11 The Notorious B.I.G. - Everyday Struggle.flac (188416 B)

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Search 5.3.10" = "%commonprogramfiles%\­Windows Search 5.3.10\­aywa539e.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "Windows Search 5.3.10" = "%commonprogramfiles%\­Windows Search 5.3.10\­aywa539e.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­PublicProfile]
    • "EnableFirewall" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­aywa539e.exe]
    • "DisableExceptionChainValidation" = ""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rstrui.exe]
    • "Debugger" = "%variable%.exe"

A string with variable content is used instead of %variable% .


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Logitech, Inc.]
    • "WindowLayout" = %binvalue%
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­Google Updater]
    • "LastUpdate" = %binvalue%
  • [HKEY_LOCAL_MACHINE\­Software\­Win7zip]
    • "Uuid" = %binvalue%

The trojan executes the following files:

  • %malwarefilepath%
  • %system%\­wuauclt.exe
  • %windows%\­explorer.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan creates and runs a new thread with its own program code in all running processes except the following:

  • services.exe

The trojan hooks the following Windows APIs:

  • CoGetObject (ole32.dll)
  • DnsQuery_W (snsapi.dll)
  • EncryptMessage (secur32.dll)
  • getaddrinfo (ws2_32.dll)
  • GetAddrInfoExW (ws2_32.dll)
  • GetAddrInfoW (ws2_32.dll)
  • gethostbyname (ws2_32.dll)
  • HttpSendRequestW (wininet.dll)
  • NtAllocateVirtualMemory (ntdll.dll)
  • NtCreateFile (ntdll.dll)
  • NtCreateKey (ntdll.dll)
  • NtCreateThread (ntdll.dll)
  • NtCreateThreadEx (ntdll.dll)
  • NtDeleteFile (ntdll.dll)
  • NtDeleteValueKey (ntdll.dll)
  • NtDeviceIoControlFile (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtOpenDirectoryObject (ntdll.dll)
  • NtOpenFile (ntdll.dll)
  • NtOpenKey (ntdll.dll)
  • NtOpenProcess (ntdll.dll)
  • NtOpenThread (ntdll.dll)
  • NtProtectVirtualMemory (ntdll.dll)
  • NtPulseEvent (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtQueryInformationThread (ntdll.dll)
  • NtQuerySystemInformation (ntdll.dll)
  • NtQueryValueKey (ntdll.dll)
  • NtQueueApcThread  (ntdll.dll)
  • NtReadVirtualMemory (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • NtSetContextThread (ntdll.dll)
  • NtSetEvent (ntdll.dll)
  • NtSetInformationFile (ntdll.dll)
  • NtSetValueKey (ntdll.dll)
  • NtSuspendProcess (ntdll.dll)
  • NtSuspendThread (ntdll.dll)
  • NtTerminateProcess (ntdll.dll)
  • NtTerminateThread (ntdll.dll)
  • NtUnmapViewOfSection (ntdll.dll)
  • NtWriteVirtualMemory (ntdll.dll)
  • PR_Write (nspr4.dll)
  • SetWindowLongA (user32.dll)
  • SSL_write (ssleay32.dll)
  • KiFastSystemCall (ntdll.dll)
Spreading on removable media

The trojan may create copies of itself on removable drives.


The trojan copies itself into the root folders of removable drives using the following name:

  • %variable1%pp.exe

The following files are dropped in the same folder:

  • %variable2%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable1-2% .


The name of the file may be based on the name of an existing file or folder.

Information stealing

Win32/Neurevt.I is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • computer name
  • operating system version
  • user name
  • information about the operating system and system settings
  • CPU information
  • FTP account information
  • installed antivirus software
  • the list of installed software
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • contact names
  • volume serial number
  • default Internet browser

The trojan attempts to send gathered information to a remote machine. The HTTP protocol is used.

Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via removable drives
  • open a specific URL address
  • execute shell commands
  • uninstall itself
  • perform DoS/DDoS attacks
  • set up a proxy server
  • block access to specific websites
  • monitor network traffic
  • delete cookies
  • send requested files
  • create Registry entries
  • delete Registry entries

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • google.com
  • microsoft.com
  • update.microsoft.com
  • windowsupdate.microsoft.com

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­Software\­%variable1%\­%variable2%\­%variable3%]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­Software\­%variable1%\­%variable2%\­%variable4%]

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings\­{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}]
    • "Flags" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ccsvchst.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­symerr.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­cltlmh.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­NAV.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­usrreq.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avwebloader.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­updrgui.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgmfapx.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgupd.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgcfgex.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgdiagex.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgwdsvc.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgidsagent.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­avgui.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­coreServiceShell.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­uWinMgr.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­uiWatchDog.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcshield.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mcupdmgr.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ALUpdate.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­update_tmp.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­arcaclean.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­WRSA.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­zatray.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­updating.dll]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ForceField.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­PSANCU.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­PSUAMain.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­PSUNMain.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­pavjobs.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AVENGINE.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Upgrader.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­adaware.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­AdAwareService.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ABgScan.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsTray.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RavMonD.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­RsMgrSvc.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­rsmain.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­updater.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­pctsSvc.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­pctsAuxs.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­pctsGui.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­sbamui.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­SBAMTray.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FProtTray.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­FPWin.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­op_mon.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­niu.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­K7TSUpdT.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­guardxup.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­a2start.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­a2service.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­a2guard.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­DragonUpdater]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­cfp.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­CLPSLA.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­V3Lite.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­ASDSvc.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­autoup.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamgui.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamdor.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbam.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamservice.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­mbamscheduler.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­Mrtstub.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­MRT.exe]
    • "Debugger" = "%variable5%.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­chrome.exe]
    • "Debugger" = "cmd.exe /c start "" "%internetexplorerpath%" """
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­firefox.exe]
    • "Debugger" = "cmd.exe /c start "" "%internetexplorerpath%" """
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­360browser.exe]
    • "Debugger" = "cmd.exe /c start "" "%internetexplorerpath%" """
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­wuauserv]
    • "ImagePath" = ""
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­services\­WinDefend]
    • "ImagePath" = ""
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Ext]
    • "VersionCheckEnabled" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­VersionManager]
    • "DownloadVersionList" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­JavaSoft\­Java Update\­Policy]
    • "EnableJavaUpdate" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Wow6432Node\­JavaSoft\­Java Update\­Policy]
    • "EnableJavaUpdate" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Adobe\­Adobe ARM\­1.0\­ARM]
    • "iCheckReader" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Wow6432Node\­Adobe\­Adobe ARM\­1.0\­ARM]
    • "iCheckReader" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­WindowsUpdate]
    • "DisableWindowsUpdateAccess" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "TaskbarNoNotification" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "HideSCAHealth" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­System]
    • "EnableSmartScreen" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer]
    • "SmartScreenEnabled" = "Off"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­Setup\­11.0]
    • "DoNotAllowIE11" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Internet Explorer\­Setup\­12.0]
    • "DoNotAllowIE12" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Internet Explorer\­Main]
    • "Check_Associations" = "yes"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Clients\­StartMenuInternet]
    • "(Default)" = "IEXPLORE.EXE"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­Shell\­Associations\­UrlAssociations\­http\­UserChoice]
    • "Progid" = "IE.HTTP"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­Shell\­Associations\­UrlAssociations\­https\­UserChoice]
    • "Progid" = "IE.HTTPS"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­FileExts\­.htm\­UserChoice]
    • "Progid" = "IE.AssocFile.HTM"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­FileExts\­.html\­UserChoice]
    • "Progid" = "IE.AssocFile.HTM"

The modified Registry entries will prevent specific files from being executed.


A string with variable content is used instead of %variable1-5% .


The following services are disabled:

  • BITS
  • MpsSvc
  • SharedAccess
  • wscsvc
  • wuauserv

The trojan hides its presence in the system.


It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.