[INFO] AnalystName=Andrei Brasoveanu AnalystEMailID=brasoveanua@comodo.com Team=Romania Date=10-JAN-2010 Type=TrojWare Platform=Win32 SubType=TrojanDownloader Family=DieHard Variant= [OVERVIEW] This trojan establishes different network connection,then downloads files and launches them on the targeted computer without the user's consent. [TECHNICAL_DESCRIPTION] Injects its code into the following processes: IEXPLORE.EXE Registry entries added: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME HKLM\SYSTEM\ControlSet001\Services\runtime HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME HKLM\SYSTEM\CurrentControlSet\Services\runtime HKLM\SYSTEM\CurrentControlSet\Services\runtime\Enum Registry Values Added: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\Control\ActiveService: "runtime" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\Service: "runtime" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\0000\DeviceDesc: "runtime" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RUNTIME\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\runtime\Enum\0: "Root\LEGACY_RUNTIME\0000" HKLM\SYSTEM\ControlSet001\Services\runtime\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\runtime\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\runtime\ImagePath: "\??\C:\WINDOWS\System32\drivers\runtime.sys" HKLM\SYSTEM\ControlSet001\Services\runtime\Type: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\runtime\Start: 0x00000003 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Control\ActiveService: "runtime" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Service: "runtime" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\0000\DeviceDesc: "runtime" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\runtime\Enum\0: "Root\LEGACY_RUNTIME\0000" HKLM\SYSTEM\CurrentControlSet\Services\runtime\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\runtime\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\runtime\ImagePath: "\??\C:\WINDOWS\System32\drivers\runtime.sys" HKLM\SYSTEM\CurrentControlSet\Services\runtime\Type: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\runtime\Start: 0x00000003 Files added: %systemroot%\System32\drivers\runtime.sys [SYMPTOMS] [DISINFECTION] Install and scan your computer with Comodo Internet Security to remove these threats.