W32/RemLoad.A!tr - 06-08-02

General Info:

This threat is a "PE" executable file


  • Other Payloads: Listen on incoming ports


  • Drop files: ".exe" + ".dll" + data

Installation to System:

  • When run, it copies itself to:
    Upon execution, the trojan performs the following actions : - it drops several files in the undefinedSystemundefined folder, including dll, exe and text files ; - it deletes the original file.

More Info:

This trojan first drops several files in the directory :
- 'checkreg.exe' ;
- 'iisload.dll' ;
- 'wsl11328.dll' ;
- 's32l.txt' ;
- 'ws386l.ini'.
and then runs 'checkreg.exe'. The dll files are injected into the Explorer process to open a backdoor and connect servers from a list of hardcoded IP addresses.

Both text files, 's32l.txt' and 'ws386l.ini', contain obfuscated data, used by 'checkreg.exe'.

The dropper also creates a run entry in the registry for 'checkreg.exe' to be launched at each boot.