How it Works
Win32 Pacex.Gen creates executables in the windows\system32 folder and registers the .dll files associated with them to create an environment necessary for its execution. It also adds some executable files in the windows\help folder so that whenever the F1 button is pressed or the help window is opened, the Trojan can execute itself.
It also copies certain executables in the windows\temp folder by the following name: 3a5cfe0ea1ba4a529b8755fb9c2de106dc46c0fe.exe and a corresponding dll is also registered for the execution of this file at startup.
In windows\help folder, this Trojan copy f3c74e3fa248.dll and f3c74e3fa248.exe files to infect the PC. Notice, both .exe and .dll files are copied together for the execution of the Trojan.
Apart from copying files in the windows\system32 or windows\help folder, it adds some new entries in the system registry.
%path1% : (default) = ssuudl
%path1%\inprocserver32\ : (default) = c:\windows\help\f3c74e3fa248.dll