Method of Infection
Several Alemod variants drop and execute a file %System%\intel32.exe, or %System%\intell32.exe which displays a red alert icon in the system tray. This file may be detected as Win32.Spudrag by CA antivirus solutions. If the user hovers their mouse over the icon, it displays the following message:
"Your computer is infected!"
If the user right-clicks on the icon, it displays this message:
"Click here to protect your computer from spyware / virus threat."
Should the user left-click on the icon, the trojan launches the user's default Internet browser to display a particular webpage.
Alemod also modifies the registry so that this file is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\intel32.exe = "%System%\intel32.exe"
or
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\intell32.exe = "%System%\intell32.exe"
For more information on Win32.Alemod variants that drop Win32.Spudrag, please see elsewhere in our encyclopedia:
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top