Detect Date 12/30/2015
Class Trojan
Platform Win32

This malware family poses a critical security threat to infected computers.

After obtaining control of an infected computer, the malware copies itself under random names to the %temp%, %windir%, and %appdata% folders. These copies are then added to the list of programs automatically run at startup of the operating system. The malware also sends GET HTTP requests to download files from the cybercriminal’s server and makes changes to the Windows Registry on the infected computer.

The most common changes to the Windows Registry include:

  • Disabling of system programs and services, such as:
    • Windows Firewall
    • Task Manager
    • Registry Editor
    • User Account Control (UAC)
  • Adding registry entries for Windows services

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Russia 19.10
2 India 7.95
3 Vietnam 5.44
4 Indonesia 5.42
5 Germany 4.06
6 Turkey 3.70
7 France 2.93
8 Brazil 2.51
9 USA 2.43
10 Morocco 2.19

* Percentage among all unique Kaspersky users worldwide attacked by this malware

Find out the statistics of the threats spreading in your region