copies itself to the following locations:
- c:\documents and settings\administrator\application data\flashplayerplugin.exe
- c:\documents and settings\administrator\start menu\programs\startup\ec75da55df7bc76b2f5430df05849464.exe
The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ec75da55df7bc76b2f5430df05849464"
With data: ""c:\documents and settings\administrator\application data\flashplayerplugin.exe" .."
Changes system security settings
adds itself to the list of applications that can access the Internet without being stopped by your firewall. It does this by making the following registry modification:
Adds value: "C:\Documents and Settings\Administrator\Application Data\FlashPlayerPlugin.exe"
With data: "c:\documents and settings\administrator\application data\flashplayerplugin.exe:*:enabled:flashplayerplugin.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Allows backdoor access and control
The malware gives a hacker access and control of your PC. They can then perform a number of different actions, including:
- Downloading and running files
- Uploading files
- Spreading malware to other PCs
- Logging your keystrokes or stealing your sensitive data
- Modifying your system settings
- Running or stopping applications
- Deleting files
This malware description was produced and published using automated analysis of file SHA1 4b14613f52018a8e5372a0febd27e8fcddfadec0.