Troj/RaHack-A will copy itself into %windows%\system32 folder under the name mscolsrv.exe and svchsot.exe. It will also drop the following files:
%Start Menu%\Programs\Startup\system.vbs
%windows%\system32\server.dll
%windows%\system32\syshid.exe (detected as Troj/Agent-BQ)
It will attempt to autostart itself by setting the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sysser
HKCR\exefile\Shell\open\command\
@ = syshid.exe \"%1\" %*\"
And create a service in the name "MSCoolServ".
System.vbs is responsible for start the COM serers for "ComDll.1", for which registry entries could be found in:
HKCR\ComDll.1\
HKCR\ComDll.1\CLSID\(default) = %clsid%
HKCR\CLSID\%clsid%\
HKCR\CLSID\%clsid%\TypeLib\(default) = %typelibid%
HKCR\CLSID\%typelibid%\