Hello,

two days ago my IE6 browser with the latest patches managed to download without me being informed a few binaries to my machine and this although I have a toolbar that blocks popups and spyblaster installed on my pc. Since I'm not exactly a newbie to these things I managed to soon identify the different copies of the binaries (an exe and a dll) and all associated registry keys.

Both of the binaries where packed with upx and were copied in multiple copies inside the root of my system partition, inside the Microsoft folder of the Application Data dir under Documents and Settings and inside the system32 directory.
Both of them where packed with UPX probably to reduce their size. I have also seen that one of them has a resource that ollydbg identifies having russian locale.

They created 3 empty files inside a few of the folders where they were copied and also on my desktop (why????). I've been able to understand that the purpose of the exe is to load the dll using rundll32 which should be able to communicate via sockets. Apart this I have not been able to understand what is their purpose. If anyone is interested in taking a look I zipped an unpacked copy of them here:

h**p://utenti.lycos.it/lucevirtuale/spyware_exe_and_dll_unpacked.zip


yaa