Upon execution the Trojan drop a files in the below location

%system32\drivers\oreans32.sys

The following registry key have been added to the system

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum

The following registry key values have been added to the system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control\

• *NewlyCreated*: 0×00000000
•  ActiveService: “oreans32″

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\

• Service: “oreans32″
•  Legacy: 0×00000001
• ConfigFlags: 0×00000000
•  Class: “LegacyDriver”
• ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
• DeviceDesc: “oreans32″
• NextInstance: 0×00000001

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum\0: “Root\LEGACY_OREANS32\0000″ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum\Count: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Enum\NextInstance: 0×0000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\oreans32\

• Type: 0×00000001
•  Start: 0×00000001
•   ErrorControl: 0×00000001
•   ImagePath: “\??\C:\WINDOWS\system32\drivers\oreans32.sys”
•   DisplayName: “oreans32″

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\0000\Control\

• *NewlyCreated*: 0×00000000
•  ActiveService: “oreans32″
•  Service: “oreans32″
•   Legacy: 0×00000001
•   ConfigFlags: 0×00000000
•  Class: “LegacyDriver”
•  ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
• DeviceDesc: “oreans32″

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_OREANS32\NextInstance: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum\0: “Root\LEGACY_OREANS32\0000″ HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum\Count: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Enum\NextInstance: 0×00000001 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\oreans32\

• Type: 0×00000001
• Start: 0×00000001
•  ErrorControl: 0×00000001
•   ImagePath: “\??\C:\WINDOWS\system32\drivers\oreans32.sys”
•   DisplayName: “oreans32″

The above registry entry ensures that it creates a service with name” oreans32” and it starts automatically whenever the system restarts.