Contributor: Binny Kuriakose
When the Trojan is executed, it may create the following files:
- %TEMP%\[RANDOM CHARACTERS FILE NAME].bat
- %UserProfile%\Local Settings\Application Data\pny\pnd.exe
The files then inject a malicious executable payload, which may allow the attacker to steal passwords and sensitive information.
The subject line of the emails has no connection to the body of the message:
Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf
The body of the email contains the following data and has an embedded URL with the following pattern, “http://xxxxx.xxx.xx/xxxxx/index.html”.
Figure 1. Spam email contents
Most of the attacks exploit vulnerabilities on the user’s computer that have not been updated or patched on time. Users are advised to keep their software and antivirus protections up to date, and to not click on any suspicious links or open files from unsolicited sources.
Symantec provides regular security updates to stave off any such attacks from spammers.