A complex multi-component file infector written in C and Assembly. It adds the rmnsoft.dll and modules.dll libraries to the browser, saves the driver into a temporary folder and runs it as a Microsoft Windows Service. Then it copies the virus body into a temporary directory and a startup folder with a random name and the .exe extension.
The backdoor can execute commands received from the remote server, in particular, download and run any files, update itself, take screenshots and send them to the criminals, and even render the operating system non-operational. It uses a digital signature to sign the IP address of a command and control server, while the addresses of the command and control servers are generated dynamically.
Virus components and configuration file, downloaded by the backdoor, are stored in the encrypted log file in the % APPDATA% folder. The module implemented in the modules.dll file loads data from the file with the .log extension and performs all the manipulations with the loaded code in the computer's RAM, so the components' code is not decrypted onto the hard drive.
The virus is able to stop anti-virus processes and modify the MBR. It stores its files at the end of the disk. When rebooting, the control is transferred to the infected MBR which reads and decrypts modules in the memory and then runs them.
It downloads the following modules: Ftp Grabber v2.0, Anonymous Ftp Server v1.0, Hide Browser v1.1, Hooker 3 Spy module. The virus has the polymorphic infector and infects files starting from the entry point , its body is in resources under the random name.
