The legitimate executable dropped by the threat is a component of Kaspersky Anti-Virus (ushata.exe) or a component of Microsoft Security Essentials (MsMpEng.exe). These executables are used to perform DLL side-loading and load “Loader.dll.” Loader.dll then decrypts the “readme.txt” file to deploy a shellcode, which in turn decrypts Bookworm’s main component (Leader.dll) and various other DLLs. Experts have pointed out that these DLL files, each designed to provide specific functionality, are not written to the disk — the malware operates only in the memory. Great example of using legit signed .exe's to perform reflective dll loading into memory. Question is directory where legit .exe's are dropped to?
