This worm may arrive on the computer at a location and using a file name specified by the attacker, for example:
%CurrentFolder%\[THREAT FILE NAME].exe
When the worm executes, it creates the following registry subkey:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\[EIGHT TO TEN RANDOM CHARACTERS]
Next, it modifies the following registry entry in order to add itself to the list of applications authorized by the Windows firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%CurrentFolder%\[THREAT FILE NAME].exe" = "%CurrentFolder%\[THREAT FILE NAME].exe:*:Enabled:Windows Messanger"
The worm then connects to a remote location allowing an attacker to perform the following commands on the compromised computer:
- Hijack the audio or video on the compromised computer
- Inject itself into other running executable files
- Perform DDOS attacks through UDP flooding
- Record all keystrokes
- Run as a proxy, redirecting an attackers traffic
- Sniff network traffic
- Upload or download files through HTTP and FTP
Next, the worm may steal passwords from the following applications:
- Microsoft Outlook
- Mozilla Firefox
It may then search through the registry for a number of installed applications and steal passwords from these as well.
The remote attacker may attempt to spread the worm through the following file-sharing applications, if installed on the compromised computer:
The worm may also be instructed by the remote attacker to install its own BitTorrent application in order to spread to other computers.
It may also attempt to spread through instant messaging applications by dropping a link to itself in any active windows.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":