This threat is known to arrive on the compromised computer by exploiting the following vulnerabilities:
Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability (CVE-2011-3544)
Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507)
When the Trojan is executed, it creates the following file:
%Temp%\[ONE LETTER].tmp.exe
It then opens a back door and connects to the command-and-control (C&C) server in order to download additional component files.
Next, the Trojan gathers information about the compromised computer and sends it to the C&C server.
It also injects itself into a svchost.exe process in order to receive commands from the C&C server. Some of the commands it can perform are as follows:
- Uninstall itself
- Setup a Virtual Network Computing (VNC) session
- Gather cookies
- Execute a file
- Upload a file
- Spread itself
It may attempt to spread by replacing the following file types on removable drives and network shares:
- .ma
- .md
- .acc
- .ad
- .vtx
- .vsx
- .vdx
- .vst
- .vss
- .vsd
- .ppsx
- .pps
- .pptx
- .ppt
- .one
- .docx
- .doc
- .xls
- .lnk
- .bat
- .com
- .exe
When one of the extensions listed above is found, it renames the original file as the following name:
Copy of [ORIGINAL FILE NAME].[EXTENSION]
It sets the attributes of this file to Hidden and System so the file is hidden from the user when exploring folder content in Explorer.
Next, the Trojan creates a copy of itself in the same directory and names it thumbs.dbh.
It also creates the following file as a replacement for the original file in order to trick users into running the Trojan:
[ORIGINAL FILE NAME].lnk
The Trojan then runs itself and also opens the original file in order to avoid suspicion from the user.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
