This file infector may be downloaded from remote sites by other malware. It may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
It infects by appending its code to target host files. It infects specific files. It avoids folders with certain strings.
It drops a file, which is detected by Trend Micro as TROJ_AGENT.XOO. It then executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
It terminates certain services if found on the system. It also deletes certain registry keys, most of which are related to antivirus and security applications. The said routine makes it difficult to remove this malware from the affected system.
It creates mutex(es) to ensure that only one instance of itself is running in memory.
It downloads files, which are detected by Trend Micro as TSPY_AGENT.AMEZ, from certain URLs. The downloaded files are executed on the affected machine, thus, routines of the downloaded files are also exhibited on the affected system.
More...