Metallica's blog

Still researching this one, so changes will be made.

The main files seem to be a randomly named executable +
wirl.dll
hst32.dll
wcnl32.dll

This seems to be the complete set of dll’s:

C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\windows\system32\hst32.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\nthst32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wcnl32.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll

Since the exe files appear to be completely random it’s no use listing them.

Scanresults:
KAV found 103.exe – infected by Trojan-Downloader.Win32.Small.anx
Dr.Web found wirl.dll – infected by Trojan.Favadd
VBA32 found wirl.dll – infected by Trojan.Win32.StartPage.2 (probable variant)

The executable copies itself to the System folder and adds a Startup entry for itself callede SVCHOST:
O4 – HKCU\..\Run: [SVCHOST] C:\WINDOWS\system32\103.exe

hst32.dll holds the information for the changes to be made to the hosts file
Mine was very small:

auto.search.msn.com 127.0.0.1
wcnl32.dll holds the information for the changes to the favorites
This one said:

http://www.nowfind.net/umax10/index.php
Search the web.url
http://forbiddenconversations.com/
Forbidden Conversations.url
http://free.modernfucking.com/index.html
Forced Sex.url
http://best.teens5.com/index.html
Young Preteen Models.url
http:/www.nowfind.net/umax5/index.php
Search the web.url
Waiting for a .hta file that will probably hold the secret of how they all work together.