This trojan may be downloaded from a malicious website. It may also arrive as an email attachment.Known email subjects associated with this malware are:
- Really cool photos
- Exclusive photos, you'll be happy
- Spam: Great photos for you
- Great photos for you
- The best photos for you
Installation
During installation, the trojan will drop a copy of itself to:
- %systemroot%\system32\rs32net.exe
It also sets a launch point with the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rs32net = %systemroot%\system32\rs32net.exe
It will then try to launch svchost.exe, and injects its code by replacing the launched svchost.exe code.
Execution
Upon execution, this malware will attempt to connect to the following websites:
- http://astana1988.[...]hostia.com
- http://astana.[...]fire.net
It then attempts to download additional files from the following IP addresses:
- 91.203.92.7
- 208.66.195.16
- 208.66.195.71
- 208.66.195.232
- 208.66.195.240
- 216.195.55.50
- 216.195.56.22
- 209.66.122.238
As of this writing, these IP addresses are down and are not available.