Once executed, the malware drops a dll file called sysmgr.dll in %systemDirectory%\wbem\ called sysmgr.dll. It also drops a temporary .bat file and executes it in order to delete the dropper.
Sysmgr.dll is registered as a service, and in order to ensure that it initializes at every system start-up the dll the following registry keys are created: HKLM\System\CurrentControlSet\Services\sysmgr HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceDll = "%System%\wbem\sysmgr.dll" HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\Parameters\ServiceMain = "ServiceMainFunc" HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\DisplayName = "System Maintenance Service" HKLM\SYSTEM\CurrentControlSet\Services\sysmgr\ImagePath = "%SystemRoot%\System32\svchost.exe -k sysmgr"
The service checks if the following registry entries exist: HKLM\SOFTWARE\BitDefender HKLM\SOFTWARE\KasperskyLab HKLM\SOFTWARE\Kingsoft HKLM\SOFTWARE\Symantec HKLM\SOFTWARE\Microsoft\OneCare Protection HKLM\SOFTWARE\TrendMicro
Sysmgr.dll tries to update itself by accessing the following IP: 59.106.145.**; It also checks the availability of the following IPs using the IcmpSendEcho API.: 212.227.93.** 64.233.189.** 202.108.22.**
Then it collects different pieces of information from the system such as: - User’s username and password; - installed programs on the system; - usernames and passwords from Outlook Express and MSN Messenger These pieces of information are sent to an IP address.