When the Trojan is executed, it creates the following files:
- %Temp%/[RANDOM CHARACTERS].exe
- %Temp%/[CURRENT USER NAME]7
- %Temp%/[CURRENT USER NAME]8
- %SystemDrive%/[RANDOM CHARACTERS]/[RANDOM CHARACTERS].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM CHARACTERS]"= "%Temp%/[RANDOM CHARACTERS].exe"
It then creates the following registry entries:
- HKEY_CURRENT_USER\Software\TEST\"NewIdentification" = "TEST"
- HKEY_CURRENT_USER\Software\TEST\"NewGroup" = ""
- HKEY_CURRENT_USER\Software\TEST\"FirstExecution" = "[DAY/MONTH/YEAR] -- [HOURS:MINUTES]"
The Trojan then connects to the following remote location:
The Trojan may then perform the following actions:
- Allow an attacker to view and change the attributes of files on the compromised computer
- Allow an attacker to view and edit registry entries
- Capture audio
- Capture video using the webcam
- Display messages on the compromised computer
- Download and execute other malware
- Execute commands
- Gather and manipulate clipboard data
- Gather information on installed programs and Windows services
- Gather information from the compromised computer such as the operating system, installed firewall or antivirus, CPU, RAM, and location
- Gather network statistics and established connections
- List running processes
- Log keystrokes
- Open a back door
- Open a Web page with the default browser
- Open and close the optical drive
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":