Lab11-02.dll contains one export, named installer.

If you run the malware from the command line using rundll32.exe Lab11-02.dll,installer, the malware copies itself to the Windows system directory as spoolvxx32.dll and installs itself persistently under AppInit_DLLs. The malware also tries to open Lab11-02.ini from the Windows system directory, but it doesn’t find it there.

Lab11-02.ini must reside in %SystemRoot%\System32\ in order for the malware to run properly.

The malware installs itself in the AppInit_DLLs registry value, which causes the malware to be loaded into every process that also loads User32.dll.

This malware installs an inline hook of the send function.

The hook checks if the outgoing packet is an email ...