[INFO]
AnalystName=Haja
AnalystEMailID=hajan@comodo.com
Team=India
Date=07-APR-2010
Type=TrojWare
Platform=Win32
SubType=TrojanDropper
Family=Parc
Variant=A

[OVERVIEW]
This Trojan program drops additional malicious files into the system.

[TECHNICAL_DESCRIPTION]
Keys Added:
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apcdli
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli
Values Added:
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dlloadtime: "1270616207"
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\mac: "00-0C-29-3A-29-0B"
	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9BA1AA9-CAD4-4C14-BDE6-922DFF5F6F38}\dln: "0"
	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Apcdli\TempPath: "\??\C:\WINDOWS\Temp\kzdh@loader-lyrics_2313.dll"
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apcdli\TempPath: "\??\C:\WINDOWS\Temp\kzdh@loader-lyrics_2313.dll"
Files Added:
	%Temp%\07.exe
	%Temp%\ope3.tmp
	%Temp%\yoyo1313.exe
Folders Added:
	%ProgramFiles%Microsoft Office\SYSTEM
The trojan launches the following processes processes to disable Antivirus
	cmd /c sc config ekrn start= disabled
	taskkill /im ekrn.exe /f
	taskkill /im egui.exe /f
	sc config NOD32krn start=disable
	taskkill /im nod32krn.exe /f
	taskkill /im nod32kui.exe

[SYMPTOMS]
Experiencing System performance degradation.

[DISINFECTION]