Troj/Dloader-BM is a downloader Trojan.
When first run Troj/Dloader-BM copies itself to the Windows folder as services.exe and to the Windows system folder as mssyncr.exe.
A fake dialog box is displayed asking the user to "Please choose the installation directory", followed by a message box containing the text "- Application Error", "The instruction at "0x70d4431e" referenced memory at "0x11fd0200". The memory could not be "written".' Click on OK to terminate the program.".
The following registry entry is created:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
(44AC6201-B203-10CC-1F32-A0BC12E2014D)\StubPath = %SYSTEM%\mssyncr.exe
the following registry entry is set:
HKCU\Software\Microsoft\RAS Autodial\Control\LoginSessionDisable = 1
and the following registry entry is deleted if it exists:
HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\
(44AC6201-B203-10CC-1F32-A0BC12E2014D)