Troj/Cosiam-K includes functionality to access the internet and communicate
with a remote server via HTTP.
When first run Troj/Cosiam-K copies itself to <System>\stonedrv.exe and creates
the following files:
<System>\TheMatrixHasYou.exe
<System>\inistone.ini
The file TheMatrixHasYou.exe is detected as Troj/Daemoni-AK.
The following registry entries are created to run stonedrv.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
stonedrv
<System>\stonedrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
stonedrv
<System>\stonedrv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services
stonedrv
<System>\stonedrv.exe
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\
Sophos Security
Reply With Quote