[INFO]
AnalystName=Chandra mohan
AnalystEMailID=gmohan@comodo.com
Team=India
Date=12-APR-2010
Type=Trojware
Platform=Win32
SubType=
Family=Cosmu
Variant=A

[OVERVIEW]
This Trojan program installs itself into the victim machine. It may also perform as a peer to peer downloader.

[TECHNICAL_DESCRIPTION]
Registry Values Added:
	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run : Startup loader = "name of executable"
On execution it obtains system information such as
	1. Operating system version 
	2. Type of OS
	3. Build version 
	4. Platform
	5. Service Packs
	6. SP
	7. STMSK
	8. Product version
And formulate a sting as follows
	Version: OS:%d.%d, BLD:%d, PLTF:%d, SPS:%s, SP:%d.%d, STMSK:%d, PROD:%d
	For example,. Version: OS:5.1,BLD:2600, PLTF:2, SPS:, SP:101.108, STMSK:51, PROD:50
Reads "ProcessorNameString" registry key.
	HARDWARE\DESCRIPTION\System\CentralProcessor\0 : "ProcessorNameString"  = 
Reads "Identifier" registry key.
	HARDWARE\DESCRIPTION\System\CentralProcessor\0 : "Identifier" = x86 Family 6 Model 7 Stepping 8
Enumerates running processes and writes into a file.
Enumerates the following key to list installed softwares
	SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
It Creates log file with random name under the  %temp% folder and writes the obtained information into it.
Sends the log file to remote network to obtain additional malware.

[SYMPTOMS]
Unwanted network traffic.
presence of registry entry "Startup loader" in Run registry key.
computers performance may slow down dramatically.
computer may become very unstable.
Files may appear on your machine that you didn't install.
receiving security notifications.

[DISINFECTION]
Delete registry key "Startup loader" from Run entry