[INFO]
AnalystName=Swarna Latha V.G.		
AnalystEMailID= swarnalatha.gopinathan@comodo.com
Team=India
Date=18-JUN-2010
Type=TrojWare	
Platform=Win32
SubType=
Family=Regrun
Variant=

[OVERVIEW]
It is a program which spy user's activities by keylogging and is found to gather user's data, like passwords of instant messaging services,Internet Passwords,
OutLook Passwords, and sends to unauthorised websites.
Other variants follow the same technique of spying and uses game websites to send informations.
The registry entry modification of system files like explorer.exe, winlogon.exe are commonly found in this malware.

[TECHNICAL_DESCRIPTION]
Registry Keys Added:
	HKU\%SID%\Software\Microsoft\Internet Account Manager
	HKU\%SID%\Software\Microsoft\Internet Account Manager\Accounts
Registry Values Added:
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOUNDMAN: "%windir%\system32\dllcache\SOUNDMAN.exe"
	HKLM\SOFTWARE\Aviation\Ativ/Desa.
Registry Values modified:
	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system32\cftmon.exe"
Files Added:
	%WINDOWS%\system32\cftmon.exe
	%WINDOWS%\<random name>.mck
	%WINDOWS%\<random name>.BAK
	%WINDOWS%\<random name>.sys

[SYMPTOMS]
	The Keylogged informations are seen as newly created files in %windir%.
	Attempting to connect malicious websites.

[DISINFECTION]
Manual Removal Instructions:
Delete the following Registry value.
	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe C:\WINDOWS\system32\cftmon.exe"
Delete the following files:
	%WINDOWS%\system32\cftmon.exe
	%WINDOWS%\<random name>.mck
	%WINDOWS%\<random name>.BAK
	%WINDOWS%\<random name>.sys
Restart the System.