The Trojan may arrive as a Microsoft Word document containing an exploit for the Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability
(BID 50462). Successful exploitation of the vulnerability will enable the Trojan to be dropped and executed on the targeted computer.
When the Trojan is executed, it creates one or more of the following files:
It then creates one or more of the following registry subkeys:
The Trojan then opens a back door allowing an attacker to gather the following information from the compromised computer:
- A list of running processes, account details, and domain information
- Drive names and other information, including those of shared drives
- Network information (interfaces, routing tables, shares list, etc)
- Open window names
- Enumerated shares
- File exploration on all drives, including removable drives
- Enumeration of computers in the domain through NetServerEnum
The Trojan then sends the information gathered to a predetermined command and control (C&C) server.
It also downloads further malicious files from the C&C server.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":