This Trojan may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
This Trojan creates a registry entry to enable its automatic execution at every system startup.
Once executed, it searches for files with specific extensions. When it finds a match, it drops a copy of itself using the filename of the found file appended with the extension .EXE.
It also modifies the last section of the dropped file in an attempt to avoid easy detection. Furthermore, it creates a folder with an attribute set to
Hidden using the file name without extension of the executed copy appended with the string
1 as the folder name.
This Trojan is written in Visual Basic, a high-level programming language.
More...