CLEAN INSTRUCTIONS

1. Go to Start, Run, type regedit and press OK.

2. Locate the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

3. Write down the value of the key (it should be C:\Windows\System32\NAME.dll; e.g. C:\Windows\System32\yabcyaa.dll)

4. Restart the system in Safe Mode with Command Prompt.

5. When the command prompt window appear, type the following commands:

ren C:\Windows\System32\NAME.dll a123.txt and press Enter.

You need to replace the NAME with the value that you have previously written down.

(e.g. ren C:\Windows\System32\yabcyaa.dll a123.txt )

6. Restart the computer in normal mode, open Windows explorer, go to the C:\Windows\System32 directory, locate the a123.txt file and delete it.

7. Go to Start > Run, type regedit and press OK.

8. Locate and delete the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

9. Run a scan with BullGuard.

SYMPTOMS

1. An open connection with 83.149.75.54.

2. Increased network traffic.

3. Presence of the file removalfile.bat in the user temp directory.
(e.g. C:\Documents and settings\User\Local settings\Temp )

DESCRIPTION

1. When the trojan is run, it will dump a dll file in the windows system directory (C:\Windows\System32).

2. The new file will be loaded and it will create the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

with the value pointing to his location in the system directory.

3. By using that key, the .dll will be loaded in every process that uses user32.dll and it will also monitor the registry in order to ensure itself that
it is not prevented from running when the computer starts.

4. It will try to create a connection with 83.149.75.54 in order to download a file.

5. A file called removalfile.bat will be created in the current user's C:/temp directory and it will be run

in order to delete the dropper of the dll file.

Author:
The BullGuard Team