This Trojan may arrive bundled with malware packages as a malware component. It may also arrive as a .DLL file that exports functions used by other malware.
It is usually dropped in Windows system folder and executes every time the system is started via a created autostart registry entry.
This .DLL file is injected into the
WINLOGON.EXE process running in memory. It has the capability to connect to a certain URL using the HTTP (TCP port 80) protocol to possibly download other files. It also has the capability to drop a
temp file, which is detected by Trend Micro as TROJ_PANDEX.EO.
However, this Trojan requires other components in order to run properly.
More...