When the worm executes, it creates the following mutex:
It then creates the following files:
- %Temp%\DLL[RANDOM CHARACTERS].tmp.dll
- %Temp%\VBS[RANDOM CHARACTERS].tmp.vbs
Next, the worm creates the following registry entries to lower the security settings for Microsoft Word:
- HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\"AccessVBOM" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\"AccessVBOM" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security\"AccessVBOM" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Security\"AccessVBOM" = "1"
It then opens a new instance of Microsoft Word and inserts macro code to execute the dropped .dll file.
The worm attempts to spread by exploiting the following vulnerability:
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability
It also attempts to spread by copying itself to removable drives as the following file:
The worm creates the following file so that it runs when the above drives are accessed:
Next, the worm gathers the following information from the compromised computer:
- Computer name
- Version Information, including: Platform ID, Build Number and Service Pack version number
It then sends the stolen information to the following location:
The worm may download files form the above server and execute them.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":