This threat might arrive on your PC attached to a spam email as a .ZIP or .RAR archive. We have seen the attachment use the following file names:
When the attachment is opened it installs a file that imitates a Microsoft Word or WAV file icon to %LOCALAPPDATA%. Examples of the icos used are shown below:
If you try to open this file the malware displays an error message that says the file couldn't be opened. We have seen it use the following error message:
When this message is displayed the malware is also installed using a random eight-character file name, for example:
It also changes the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<Eight random characters>.exe", for example "ienuuuur.exe"
With data: "%LOCALAPPDATA%\<8 random characters.exe>"
Downloads other malware
This threat can download other malware onto your PC. We have seen it download and run these threats:
Connects to a remote server
It can connect to a remote server to receive instructions from a malicious hacker, including:
- Download and run files
We have seen it connect to the following servers: