Trojan downloader spreading by e-mails. Today the malware has several variants.

Files created by the malware are almost the same, but the so called "dropper" (the e-mail attachment, which creates those files) is often modified by its creators in order to avoid detection by anti-viral tools.

The virus creates these files:

%System%\drivers\Kdo23.sys
- starts as "SCSI CLass" Windows system service.

%System%\WinNt32.dll
- Trojan.DR.Pandex.Gen.4

The Pandex.Z creates the next Registry entries in order to autostart its service during system boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Kdo23.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Kdo23.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdo23

In the next steps the malware tries to download further components from a predefined URL.