This Trojan may be dropped by other malware.

Upon execution, this Trojan creates a folder, where it drops several copies of itself. It also drops a non-malicious file. This Trojan creates a registry entry to enable its automatic execution at every system startup.

This Trojan accesses URLs to download files. The said files are related to download sites and are non-malicious.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This file infector may be dropped by other malware. It is the Trend Micro detection for the modified copy of a legitimate file that contains an injected code.

Upon execution, this file infector uses a certain API to load and execute a .DLL file detected by Trend Micro as TROJ_AGENT.DGW.

As a result, malicious routines of the .DLL file are executed on the affected system.

This is the Trend Micro detection for suspicious AUTORUN.INF files that allow automatic execution of malware in removable drives.

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

To submit files, please refer to the Solution section.

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

• TROJ_VB

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

• TSPY_ONLINEG

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.

This Trojan may be downloaded from remote sites by the Trend Micro detection TROJ_RENOS.ADX.

It installs itself as a fake antivirus application named ANTIVIRUS XP 2008. It shows fake alert pop-ups stating that the affected system is infected with several viruses.

It then leads the user to a spoofed antivirus application window.

When the user tries to remove the viruses, it will prompt the user to pay for the service before cleaning the infection.

It modifies the system registry such that its automatic execution at every system startup is enabled. It creates folders and drops files.

This is the Trend Micro heuristic detection for suspicious files that manifest similar behavior and characteristics as the following malware:

• TROJ_VUNDO

If your Trend Micro product detects a file under this detection name, do not execute the file. Delete it immediately especially if it came from an untrusted or an unknown source (e.g., a Web site of doubtful nature). However, if you have reason to believe that the detected file is non-malicious, you can submit a sample for analysis. Detailed analysis will be done on submitted samples, and corresponding removal instructions will be provided, if necessary.