When the worm executes, it copies itself as the following file:
The worm spreads by copying itself to all drive letters available on the compromised computer, including removable drives and mapped network shares, as the following file:
When the above file is executed, the worm creates a mutex and also creates the following new copy of itself:
It then deletes the original file.
Next, the worm creates the following file so that it runs whenever removable drives are connected to another computer:
It then drops the following file:
The above file is actually a .dll file.
The threat copies the legitimate file %System%\msi.dll to %Temp%\tmp[RANDOM NUMBERS].tmp. The copy of the file is then modified to include some of the worms own code.
It then modifies structures in the computer memory to redirect system calls for the MSIserver service to load the modified copy. This will result in the execution of the worm code.
The worm may then create the following registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\"PendingFileRenameOperations" = "[RANDOM HEXADECIMAL CHARACTERS]"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService" = "MSIServer"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\"PendingFileRenameOperations" = "[RANDOM HEXADECIMAL CHARACTERS]"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService" = "MSIServer"
The worm deletes the browser history from the following applications:
- Internet Explorer
It then downloads another malicious component using a HTTP POST command to the following address:
The POST data contains 45 bytes of information on how to encrypt the response. It also serves as authentication to the server so that only the malicious component of the worm can download the payload.
It saves the above file as the following file and executes it:
It changes the DNS settings for all network connections to two of the following IP addresses:
The worm drops a kernel driver to the following location:
The driver is loaded by creating the following registry subkey:
The kernel driver removes traces of itself when it is loaded by deleting the following registry subkey:
It also denies the following processes Internet access:
The worm injects the following file into the svchost.exe process:
It creates the following registry subkey to store data about the worm:
It hides files and registry subkeys that have the following prefix:
The worm modifies the DNS entries on the compromised computer. In case of an infection in a Server/Client environment, clients on a compromised network might acquire malicious DNS addresses from an infected server (without actually being infected itself), redirecting queries to an address controlled by the remote attacker.
The worm acts as a DHCP server for all computers on the compromised computer's LAN, serving the following malicious DNS addresses to redirect all DNS queries to an address controlled by the remote attacker:
- 220.127.116.11 (primary)
- 18.104.22.168 (secondary)
The worm may also download potentially malicious files on to the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":