When the Trojan is executed, it decrypts an .exe, .doc, or .docx file that is appended to its own code. It then saves the file to the current folder and launches the default application for that extension, e.g. Microsoft Word.
When Microsoft Word is closed, the threat deletes the Microsoft Word file that it created.
Next, the Trojan creates the following file that is a copy of the executable part of the threat (i.e. without the appended document):
%UserProfile%\Application Data\Microsoft\[EIGHT RANDOM UPPERCASE CHARACTERS].exe
When the computer restarts, the above file is moved to the following location:
%Windir%\xpsp2res.dll
The Trojan then infects all .exe, .doc, and .docx files by encrypting them and appending them to a copy of itself. The infected .doc and .docx files are renamed with a new file extension:
[ORIGINAL FILE NAME].docx becomes [ORIGINAL FILE NAME]xcod.scr
Note: After the threat has been removed from the computer, the file extension for all Microsoft Word files will need to be manually reset. The .exe file extensions will not need to be manually reset.
The Trojan then connects to one of the following command-and-control (C&C) servers:
- [http://]realis-nitra.sk/admin/user/way[REMOVED]
- [http://]new.disans.ru/script/way[REMOVED]
- [http://]attow.com.br/includes/domit/way[REMOVED]
- [http://]www.zugor-bikes.com/way[REMOVED]
It then attempts to download a .jpg file from one of following URLs, extract encrypted data from it, and update the C&C server list:
- [https://]forum.4game.com/imag[REMOVED]
- [https://]forum.perfect-privacy.com/imag[REMOVED]
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
