The Trojan spreads through malicious .PDF and .XLS email attachments.
When the Trojan is executed, it creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"common"\"%SystemDrive% \PROGRA~1\COMMON~1\[RANDOM FILE NAME]"
The Trojan creates the following file:
%ProgramFiles%\Common Files\[RANDOM FILE NAME]
The Trojan creates the following mutex:
The Trojan opens a back door on the compromised computer, and connects to a hardcoded URL or IP address on port 43 with the following format:
- [IP ADDRESS]/bbs/info.asp
The Trojan may download files from the previously mentioned URL or IP address.
The Trojan may steal the following information and post it on the previously mentioned URL or IP address:
- Host name
- IP address
- Windows version
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":