Trojan.Generic.2581209

( Glecia, Krap )

SYMPTOMS:

Presence of several registry keys under:
HKCR\CLSID\{CEE2864E-1144-4B8F-9A43-4CEAC4553560}

"HKCU\Software\Microsoft\Internet Explorer\Main\^%\E$@@#n%^a&^()%b#(^$%l%(^%$e(^& ^%\#$%r$$^%o$#(%w@$%#$s%^^%$e%^(()(*& %#E*&^&x$(%%t%$#$@e^^%@(n#$%s))#%i*^o$%$^$^n(&*s(%^&" = YES

A BHO called "Microsoft Online Helper!" or "Google Accelerator!" pointing to %SYSTEM%\bhdvgtueyitf.dll

TECHNICAL DESCRIPTION:

The malware is distributed in a zip archive attached to an e-mail which claims to be from "DHL express services".
Glecia cannot propagate itself, so it needs a third party to send the spam.
An e-mail sample follows:

Subject: DHL Express Services. Please get your parcel NR.56449

Headers:
From:     "****" <****@dhl-usa.com>
Subject:     DHL Express Services. Please get your parcel NR.56449

Body:
Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Thank you for attention.
DHL Services.

Attachments:
DHL_print_label_582b9.zip (16.23KB)

The archive contains a packed executable which drops a BHO to %SYSTEM%\bhdvgtueyitf.dll and registers it as "Microsoft Online Helper!" or "Google Accelerator!" with CLSID {CEE2864E-1144-4B8F-9A43-4CEAC4553560}.
When done, the dropper creates and runs a batch file called sys.bat in order to delete itself.
The BHO is a backdoor that can be used by the attacker to take control over the infected computer.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Horea Coroiu, virus researcher