The Trojan may be downloaded or delivered silently through Web exploits and then executed.
Once executed, the Trojan copies itself as the following file:
C:\Documents and Settings\Administrator\Local Settings\Temp\wscnfy32.exe
It then creates the following files:
- %ProgramFiles%\Internet Explorer\setupapi.dll
The file names may be randomly generated.
The Trojan continuously attempts to download files from the microcbs.com domain. One of these files is a config file with new URLs to contact and the other file is a copy of Trojan.Silentbanker
The downloader also attempts to change various security and firewall settings by checking for any windows that contain the following text:
- Warning: Components Have Changed
- Hidden Process Requests Network Access
- Windows Security Alert
- Allow all activities for this application
- ZoneAlarm Security Alert
- Create rule for %s
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":