When the Trojan is executed, it installs the following toolbar in Internet Explorer:
The Trojan then creates the following files:
It may also drop the following file:
%ProgramFiles%\Video ActiveX Access\iesmin.exe
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\"rare" = "%CurrentFolder%\smmain.exe"
It also creates the following registry entry:
HKEY_CURRENT_USER\Software\Protection Tools\"65005" = "1"
The Trojan also creates the following registry subkeys:
The Trojan may periodically display the following windows:
Warning! Spyware threat!
Critical System Warning!Title:
System Alert: Malware ThreatsMessage:
Your computer is infected with a back door Trojan that allows the remote attacker to perform various malicious actions. Click this baloon to download malware removal software.Title:
System Alert: Trojan-Spy.Win32@mxTitle:
System Alert: Trojan-Spy.Win32@mxMessage:
Vulnerable: Windows 95/98/ME/NT/2003/Windows XP
Description: Spyware program that sends confidential information to a remote attacker
Protection: Click this baloon to download official security software.Title:
Security Alert: NetWorm-i.Virus@fpMessage:
Type: Virus/Network Worm
Damage Level: High
Description: Virus that infects executable files.
Recommendation: Delete/quarantine immediately.
Protection: Click this baloon to download certified Antivirus software.Title:
System perfomance monitor: WarningMessage:
System performance slowed down by: 47%
Internet connection speed decreased by: 39%
Probable reason: Spyware applications / Adware popup windows
Click this baloon to download spyware scan tool to remove spyware/adware applications.Title:
Security Alert: Spyware foundMessage:
Your computer is infected with last version of PSW.x-Vir trojan. PSW trojans steal your private information such as: passwords, IP-address, credit card information, registration details, documents, etc. Click this baloon to remove PSW.x-Vir spyware.Title:
Critical System Warning!Message:
Your system is probably infected with latest version of Spyware.CyberLog-X.
Infection Length: 266,129 bytes
Systems Affected: Windows 95, 98, 2000, NT, 2003 Server, Windows XP
Behavior: Spyware.CyberLog-X is a spyware program that monitors user activity, logs keystrokes, and tracks Web sites visited.
Symptoms: Low Internet connection speed Low system perfomance Security center alerts Strange pop up windows
Protection: Click OK to donwload antispyware software.Title:
Internet Explorer AlertMessage:
Your computer is infected with adware or spyware that displays advertisements while you browse the Internet. Would you like to download additional software to remove malware threats and protect your system?Title:
Security warning: New variant of SpyBot@MXtMessage:
You are unprotected from new version of SpyBot@MXt trojan. SpyBot@MXt is a trojan horse that steals information and gathers email addresses from the compromised computer. Click OK to download antivirus software and pass full system scan to delete/quarantine infected files.Title:
Unhandled Exception: Invalid opertaion. The instruction at "0x66f7d450" referenced memory at "0x00000d0". If you were in the middle of something, the information you were working on might be lost. This fatal error probably occured because of a virus on your PC. Would you like to download latest version of antivirus software?
The Trojan will then connect to the following Web site and attempt to download other potentially malicious files:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":