On execution, malware.exe creates a folder “Rapid Antivirus” and drops two executables at the following location(s):
loader[malware].exe creates a hidden batch script .bat in the same folder which forcefully delete itself and loader[malware].exe.
It also creates two DLL files and its copy at the following location(s):
It creates following mutex:
To start at system startup it adds following entries into the registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader[malware].exe = “%SYSTEM32%\loader[malware].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\loader[malware].exe = “%SYSTEM32%\loader[malware].exe”
The trojan pretends to be running an exaggerated scan on the machine and generate false detection alerts as shown below. This is done to persuade the user into purchasing a full version of Antivirus software “Rapid Antivirus 2.7” to clean the malware that the trojan falsely detected.
It shows legit files being detected as Trojan, Spyware, and Worm as shown below:
If you click on leave button, following window with some warning message is displayed:
On clicking Get Full Version of Rapid Antivirus Now!, it connects to www.rapidantivirus.com and displays following subscription page: