This Trojan will periodically load a designated web page in the Internet browser. It is a Windows PE EXE file. The executable file is 36 864 bytes in size. It is written in Visual C++.
Once launched, the Trojan copies itself to the Windows system directory as “winsvc32.exe”:
It then registers this file in the system registry:
“winsvc32.exe” = “%System%winsvc32.exe”
This ensures that the Trojan will be launched each time Windows is booted on the victim machine.
Every 30 minutes, the Trojan will open http://www.greatpage.da.ru using the Windows command line.
At the time of writing, no page was placed on this address.