Summary

It's a Backdoor malicious code(Server-side polymorphism). It collects information from infected systems and runs by command codes from a C&C server.

Here are main malicious actions by this malware.

- Download and run malicious codes.
- Execute files.
- Execute command codes.
- Execute files.​

This malicious code uses ' Server-side polymorphism', therefore distributed files' MD5 is changed continuously. (But, the function of this malicious code is same as a Backdoor malware.)
Files(named 3002.exe or 3005.exe) have been distributed by many websites(e.g. Universities, organizations, shopping malls, travel agencies, etc. ), users need to be aware of that.

[Distributed location]

 The Symptom

1. It creates the following files.

C:WINDOWS(Random names)svchsot.exe => Self-replication

2. It creates the following registry values.

3. It registers the following task scheduler.
C:WINDOWSTasksAt1~24.job

4. It accesses the following network.

[How to repair]
Reparable by ViRobot engine ver. 2014-08-19 or above.