|Trojan.Mercurycas.A is a Trojan horse that allows an infected computer to be used as an email relay.
When it is executed, it performs the following actions:
Drops the following files:
%System%\Szchostc.exe (A legitimate proxy utility named 3[APA3A]tiny proxy)
Adds the value: "Olive System"="%System%\Szchost.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds the value: "winid"=[date and time of infection]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mrdodf
Adds the value: "Datu"=[IP address]
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Mctest
Executes %System%\Szchostc.exe, which runs a proxy on a port number calculated from the current system time.
Connects to the IP address 220.127.116.11 on TCP port 25 to receive instructions from the attacker.
Attempts to download the file, %System%\system.ing, from a remote host that is hard-coded in the Trojan.
Gathers various pieces of system information based on the content of %System%system.ing.
This may include IP address, Computer Name, folder listings, and so on.
Submits information gathered to a PHP page at www.mercuryloungecasino.com, along with the port number on which the proxy runs.
Please remove all keys that described above.
Still have a problem? Ask for help at our discussion forum.