A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5134  by gjf
 Tue Feb 22, 2011 10:59 am
It should be noted, because it was not obvious from F-Secure post, that fake explrer.exe (downloader) starts, downloads some stuff (in my case it was hxxp://xc.115.bz/tools.exe) and then exits. So without checking userinit.exe and MBR it is not possible to find the way where malware comes in. Actually even userint.exe check will not help because MBR will restore infection on next boot.