HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
adding the value:
"wersds.exe.exe" = %sysdir%\doriot.exe
where %sysdir% represents the path to the user's Windows System directory.The executable contains a downloader Trojan component with a codebase similar to that of the Mitglieder Trojan. Upon infection, and every 6 hours thereafter, it attempts to download the file b.jpg from up to 131 different websites. If successful, it writes this file as _re_file.exe to the Windows folder and executes it. This contains a mass-mailing component, used to spam the Trojan to others. The executed component drops the following files to the Windows System folder:windll.exe
windll.exeopen
windll.exeopenopen
and following registry key is modified:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
adding the value:
"erthgdr"="%sysdir%\windll.exe"
(where %sysdir% signifies the location of that user's Windows System folder).
By default, on Windows 95/98/ME the Windows System folder is C:\Windows\System, on Windows NT/2000 it is C:\Winnt\System32, and on Windows XP it is C:\Windows\System32
The mass-mailer harvests email addresses from a wide range of file types found on the infected system, using those addresses to mail the Trojan to others. It also copies itself to any folders containing the string 'shar' in the foldername, facilitating further spread via shared network drives and P2P networks. The Trojan that is mass-mailed subsequently downloads the mass-mailer, repeating the process described above.
A backdoor spam relay is opened on TCP/UDP port 80 on infected systems.
Manual removal
Use the Windows Task Manager to shutdown the processes associated with all files named above. Delete the registry modifications made. Delete the associated files. Scan the system with up to date antivirus software to detect and remove any additional threats that may have been downloaded by this Trojan.
