Registry Cleaner Geeks

November 28, 2009 1:10:06 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

The malicious file typically arrives as an installation file for certain computer games.

When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp

Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg

Next it sends the screenshot to the following FTP site:
[ftp://]ftp96.heteml.jp/web/img/us[REMOVED]

It connects to the following URLs to obtain global IP address and the host name of the infected machine:

* [http://]cplayer.dreamhosters.com/getho[REMOVED]
* [http://]checkip.dyndns.org[REMOVED]

Then, it displays a form and requests the user to fill it with the following information:

* first name
* family name
* email address
* password
* first name in game
* family name in game
* gender
* birth date
* company name
* telephone number
* zip code
* address

It also steals the following information from the compromised machine:

* computer name
* domain name
* OS type
* time
* clipboard

Then the Trojan sends the stolen information to the following URL:
[http://]p3p.jp/en[REMOVED]/

When the Trojan exits, it displays the following URL with the gathered information using default browser:
[http://]p3p.jp/entry/user/[RANDOM [REMOVED]

FREE SCAN:

Please click here for manual removal instructions.