Win32/Chadem.A is a trojan that steals password details from an affected machine.
When executed Win32/Chadem.A copies itself to either %APPDATA%\winlogon.exe or %APPDATA%\Microsoft\Windows\winlogon.exe and executes that copy.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the %APPDATA% folder for Windows 2000, NT and XP is C:\Documents and Settings\<user>\Application Data; and for Vista is C:\Users\<user>\AppData.
It may also modify the registry to execute this copy at each Windows start:
To key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Microsoft Windows logon process"
With data: "%APPDATA%\Microsoft\Windows\winlogon.exe"
Steals Sensitive Information
When installed the trojan listens to all network traffic looking for traffic associated with an FTP connection. If found the trojan posts the FTP server domain, the username and the password to a remote host.
The trojan posts information to the following IP addresses:
In the wild, we have observed Win32/Chadem.A being downloaded and installed on affected machines by Win32/InternetAntivirus
Analysis by Ray Roberts