Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
This malware is discussed in further detail in the following Labs Weblog posts:
The downloader is known to be distributed to users via a malicious website (driveby download) or via an exploit.
When active, the downloader downloads an encrypted file on port 443 or 80 from:
- http://bcoxgcgxes.com (encrypted file)
where (encrypted file) is a defined string. This string is unique in every sample.
Once downloaded, the encrypted file is first saved in an allocated memory where it will be decrypted, then saved to a file in a temporary folder. The file will then be executed.
The encrypted file is encrypted with an RC2 encryption algorithm. The Cipher Hash that is used in the decryption is based on a defined string that is also unique in every sample.