Trojan.PPDropper.G may arrive as an attachment to an email message.
When the Trojan is executed, it exploits a previously unknown vulnerability in Microsoft PowerPoint to drop the following files:
- %Temp%\Japan Taiwan China.pps
The Trojan then drops and deletes the following files:
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "sysload.exe"
The Trojan then opens the following file:
%Temp%\Japan Taiwan China.pps
The file sysload.exe then starts the following process:
The file imjp86.ime is injected into the above process.
Next, the Trojan connects to a HTTP server at the following location:
It also connects to a HTTP server at the following location for further instructions:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":