The Trojan arrives on the compromised computer as a license-protected multimedia file.
The Trojan exploits the Windows Media Digital Rights Management technology in Microsoft Windows Media Player.
When executed, the Trojan sends a POST request to the following URL:
The server replies by sending an .htm file, which opens a browser window and loads an .htm file from the following domain:
The .htm file from alcena.com loads another .htm file from the following domain:
The Trojan then displays one of the following messages: Message:
Thanks for downloading this file.
Click play to listen. Message:
You must click YES to get access.
If the user clicks Yes or Play, the Trojan will download and execute the following files:
- 0006_adult.cab from the install.xxxtoolbar.com domain (Adware.Istbar)
- ist_netscape.xpi from the install.xxxtoolbar.com domain (Adware.Istbar)
- istinstall_netscape.exe from the www.slotch.com domain (Download.Trojan)
- javainstaller.jar from the www.ysbweb.com domain, which downloads and executes istdownload.exe (Adware.Istbar) from the www.slotch.com domain.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":