Checkin is a “downloader” trojan that downloads a given file from a certain site and runs it. The trojan itself is a Windows PE EXE file, written in MS Visual C++.
The trojan file sizes are of the following approximate sizes:
The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:
"Checkin.a": HKCUSoftwareMicrosoftWindowsCurrentVersionRun SysReg = %SystemDir%SysReg "Checkin.b": HKCUSoftwareMicrosoftWindowsCurrentVersionRun OWMngr = %SystemDir%OWMngr.exe
It seems that the trojan program should be completed by an “installator” that performs all steps for installing the trojan program into the system.
The trojan program also creates more registry keys:
HKCUSoftwareIExplore Ads AID ID LoggedIn
It uses these keys for its ‘internal’ needs.
Checkin then becomes an active process (this process is visible in the task list), downloads a file from a Web site, stores it on the hard disk using the name update.exe and executes this file.
The Web site name and remote file URL can vary. The Checkin trojan downloads this information from another Web site:
"Checkin.a": http://tp.searchseekfind.com "Checkin.b": http://ads.onwebmedia.com
At these locations the trojan uses the “Checkin.pl” file.