is a trojan that is dropped by Trojan:Win32/Downsys.A
. It usually arrives with the file name "a<5 random digits>.bat".
It copies the following files into the drives E:, F:, G:, and H:, if found:
Trojan:BAT/Downsys.A then attempts to modify the system registry to allow the file "winessentials.exe" to automatically run every time Windows starts. It does this by using the command-line tool "nircmd.exe" to add the following registry entry:
Adds value: "win32api"
With data: "<system folder>\winsystem\winessentials.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Analysis by Andrei Florin Saygo
There are no common symptoms associated with this threat. Alert notifications from installed Antivirus software may be the only symptom(s).