This Trojan downloads another program via the Internet and launches it on the victim machine without the user's knowledge or consent. It is a Windows PE EXE file. It is 79360 bytes in size. It is written in C++.

Installation

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

Once launched, the Trojan creates the following system registry key:

It then sends the following request:

On contact with the URL shown above a parameter is added which transmits the latest version of the Trojan program. If there is no new version of the Trojan program available, the server sends the following answer: "<OK>". If there is a more recent version available, the server sends a link to the file containing the new version. The Trojan downloads an updated version of itself and saves it to the temporary directory under the following name:

The file is then launched for execution.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
2. Delete the following system registrykeys:
   [HKLM\Software\Microsoft\Windows\CurrentVersion\RunWindowsUpdate]
   "Gid" = "026133246127060045718030656336"
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "RunWindowsUpdate" = "<path to executable Trojan file> "
3. Empty the temporary directory (%Temp%).