This threat has been observed being dropped by malicious documents distributed through email.
When the Trojan is executed, it creates the following file:
Next, it modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\DesktopProcess\"DesktopProcess" = "1"
The file %Windir%\ntshrui.dll is then loaded by explorer.exe in an attempt to open a back door on the compromised computer, allowing a remote attacker to perform the following actions:
- Download and execute remote files
- Upload system information, such as the operating system version, the logged in user, disk space information, and the CPU
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":