Upon execution, this Trojan checks for the system?s Internet connection. It then creates new registry entries in order to lower the Internet security settings of the user?s default browser.
This Trojan downloads files from the following URLs:
http://static.topconverting.com/acti...nningsgame.exe
http://static.topconverting.com/activex/tcupdater.exe
http://static.topconverting.com/activex/180ax.exe
http://static.topconverting.com/activex/optimize.exe
http://static.topconverting.com/activex/games.exe
It adds the following registry keys and entries:
HKEY_CLASSES_ROOT\LOADER2.Loader2Ctrl.1
HKEY_CLASSES_ROOT\LOADER2.Loader2Ctrl.1
@ = "Loader2 Control"
HKEY_CLASSES_ROOT\LOADER2.Loader2PropPage.1
HKEY_CLASSES_ROOT\LOADER2.Loader2PropPage.1
@ = "Loader2 Control"
HKEY_CLASSES_ROOT\LOADER2.Loader2Ctrl.1\CLSID
HKEY_CLASSES_ROOT\LOADER2.Loader2Ctrl.1\CLSID
@ = "{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4}
HKEY_CLASSES_ROOT\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4}
@ = "Loader2 Property Page"
HKEY_LOCAL_MACHINE\Software\Classes\LOADER2.Loader 2Ctrl.1
@ = "Loader2 Control"
HKEY_LOCAL_MACHINE\Software\Classes\LOADER2.Loader 2Ctrl.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\LOADER2.Loader 2Ctrl.1\CLSID
@ = "{79849612-A98F-45B8-95E9-4D13C7B6B35C}"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{38601801-2FF5-4A62-95DA-D2007161C1B4}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{38601801-2FF5-4A62-95DA-D2007161C1B4}
@ = "Loader2 Property Page"
Analysis By: Carlo Panganiban
Revision History:
First pattern file version: 2.364.06
First pattern file release date: Jan 21, 2005