It then registers itself in the system registry:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"load" = "%Windir% "
This ensures that the Trojan will be launched each time Windows is booted on the victim machine.
Every five seconds the Trojan will check for a connection to the Internet.
When a connection to the Internet is established, the Trojan will open the following URL:
http://web.icq.com/whitepages/p***_me/.....
Once this URL has been opened, an ICQ message will be sent to the remote malicious user. The message contains the IP address, name, and user name of the victim machine. This message will be sent each time a connection to the Internet is established.
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process
- Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
- Delete the following file:
%Windir%
- Delete the following entry from the system registry:
[HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows]
"load" = "%Windir% "
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).