Troj/Certif-L is a password stealing Trojan for the Windows platform.
Troj/Certif-L monitors system activity and collects user credentials typed into
the windows of various online banking applications.
Troj/Certif-L will attempt to download and execute a file from a predefined URL
via http. Stolen information will be uploaded to a predefined URL via ftp.
When first run Troj/Certif-L copies itself to <System>\msdirect.exe.
The following registry entry is created to run msdirect.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msdirect.exe
<System>\msdirect.exe
Troj/Certif-L will attempt to remove the following files along with any
associated registry entries:
bluetooth.exe
directsnd.exe
dxdiag32.exe
dxdiags.exe
dxdrv.exe
mailman.exe
msn_explorer.exe
terraxp.exe