Overview
Characteristics
Trojan characteristics are as follows:
- Appearance of spyware threatening message each time when Internet Explorer is launched.
- Presence of winapi32.dll file in %windows%\sytem32 folder.
Symptoms
Symptoms are as follows:
- Display of spyware threatening message each time when browser is launched.
- Winapi32.dll present in %windows%\system32 folder is installed as Browser Helper Object.
Browser Helper Objects are executable files that are loaded when the browser is launched. They can perform various tasks, such as generating extra pop-up ads, monitoring page navigation, etc.
Method of Infection
Installation:
File: Install.exe
Hash: 71b9b09bb37d3cf3b114ae5b665a747e
Size: 71,172 bytes.
Upon execution trojan downloads the following files from i-femdom.com website.
Following files are created in %windows%\sytem32 folder:
- a.exe
- alxres.dll
- bridge.dll
- dailytoolbar.dll
- jao.dll
- questmod.dll
- runsrv32.dll
- runsrv32.exe
- tcpservice2.exe
- txfdb32.dll
- udpmod.dll
- winapi32.dll
- winsrv32.exe
- wstart.dll
Following files are created in %windows% folder:
- alexaie.dll
- alxie328.dll
- alxtb1.dll
- blue-bg.gif
- BTGrab.dll
- close-bar.gif
- dlmax.dll
- Pynix.dll
- remove-spyware-btn.gif
- susp.exe
- warning-bar-ico.gif
- win-sec-center-logo.gif
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants