Once executed, the Trojan attempts to exploit Adobe Flash Player, Acrobat Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability
The Trojan then downloads a bitmap file from the following URL:
The bitmap file contains an encrypted file (detected as Backdoor.Trojan
The downloaded file is extracted to %Temp%\upt.exe and executed.
It then creates the following files:
Next, it copies the file %System%\qmgr.dll to %System%\kernel64.dll.
It then connects to the following URL:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":