When the Trojan is executed, it may create the following files:
Next, the Trojan drops the following file, which may be a 32-bit or 64-bit driver, depending on the operating system:
Then the threat uses an untrusted certificate to load the driver.
It may also modify the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing\"Policy" = "00"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\"Policy" = "00"
- HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\[HEXADECIMAL VALUE]\"Blob" = "[BINARY DATA]"
The back door allows a remote attacker to perform the following actions on the compromised computer:
- Open connections over a SOCKS5 proxy
- Download files onto the compromised computer
- Upload files to a remote location
- Open a command shell
- Stop executing
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":