When the trojan's file is run, it shows an x-rated picture, drops
an executable file to temporary folder and runs it. This file
copies itself as REGISTRY.EXE file into Windows folder and
creates a startup key for itself in Windows Registry:
"Registry Services" = "%windir%\registry.exe"
On some operating system versions the trojan creates a different
Run = %windir%\registry.exe
The REGISTRY.EXE file is packed with UPX file compressor. When
this file is run during every Windows session, it waits until
a user connects to Internet and downloads a text file from an
account at Geocities.com site. The downloaded file contains
one or more URLs that the trojan tries to connect to. When the
trojan connects to an URL, it adds information about user's IP
address and the '<br>Second,email_zasil' string to the URL. This
way the author of the trojan knows the IPs of computers where his
trojan is installed.
Disinfection solution for this trojan is to delete its file and
also to delete the dropper that came in e-mail.
[Analysis: Alexey Podrezov; F-Secure Corp., November 5th, 2002]