When the worm is executed, it creates the following file:
The worm then creates the following registry entries, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"nClient" = "%System%\cnen.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"nClient" = "%System%\cnen.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\"nClient" = "%System%\cnen.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\"nClient" = "%System%\cnen.exe"
It also modifies entries under the following subkeys, which may delete or modify Windows event logger services:
The worm also creates the following mutex so that only one instance of the threat runs on the compromised computer:
The worm then downloads a copy of Backdoor.Trojan
from the following URL, and saves it as C:\site.exe:
The worm then attempts to spread to computers on the local network by exploiting the following vulnerabilities:
The worm opens a random port and waits for a connection from computers it has attempted to exploit. If the worm successfully exploits another computer, it then sends a copy of the worm as C:\u.exe and executes it.
The worm opens a back door by connecting to the following IRC servers on TCP port 8080 and joining a predetermined channel:
This allows a remote attacker to perform various unauthorized actions on the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":