When the Trojan is executed, it creates the following files:
- [RANDOM CHARACTERS].cfg
- [RANDOM CHARACTERS].dll
- [RANDOM CHARACTERS].vbs
- [RANDOM CHARACTERS].exe.log
- [RANDOM CHARACTERS].log
The Trojan stores stolen information in the [RANDOM CHARACTERS].log file.
The Trojan installs itself as a module to Internet Information Services (IIS) for Windows Server 7 and 6.
The Trojan then steals all data sent through HTTP POST to the IIS server.
The Trojan checks for the following string commands when an HTTP GET is sent to server:
- isn_reloadconfig (command to reload config file)
- isn_getlog (command to display stolen data)
- isn_logpath (command to display log path)
- isn_logdel (command to delete log file)
Commands are sent by requesting an HTTP GET to URIs in the config file (.cfg). For example: http://www.[COMPROMISED SERVER]/login.html?isn_getlog
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":