[INFO]
AnalystName=RAJA BABU.A
AnalystEMailID=rajababua@comodo.com
Team=India
Date=03-FEB-2010
Type=TrojWare
Platform=Win32
SubType=
Family=ExeDot
Variant=

[OVERVIEW]
	This Trojan program uses ActiveX Controls in DotNet which acts like BHO (Browser Helper Object) commonly referred to as ExeDot. It registers a dll file as BHO in the system. 
BHO will run automatically each time when the Internet Explorer is launched and may download other malwares.

[TECHNICAL_DESCRIPTION]
Registry Keys added:
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Registry Values added:
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib\: "{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}"
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32\: "%Program Files%\Shared\lib.dll"
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32\ThreadingModel: "Apartment"
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\: "Browser Helper Object"
	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\NoExplorer: 0x00000001
Files Added:
	%Program Files%\Shared\lib.dll

[SYMPTOMS]
	There are no obvious symptoms that indicate the presence of this malware on an affected machine.

[DISINFECTION]
Delete the following Registry Key value:
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32\: "%Program Files%\Shared\lib.dll"
Delete the following File:
	%Program Files%\Shared\lib.dll