A binder program may attach Trojan.Cargao.B to a legitimate file. The binder program allows the malicious file to be executed when the legitimate file is run, without the user's knowledge. The binder program drops both files into the %Temp% folder and then executes them.
%Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
When Trojan.Cargao.B is executed, it performs the following actions:
- Creates the following file:
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\appconn32.exe
Note: This file is usually 126,464 bytes in size, but due to a bug in the code, the file may expand to fill the hard disk.
- Attempts to download the following files from the domain, virtualcards.serveftp.com, and then save them to the C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\ folder:
- Sends an email to the contacts that it finds in the Outlook address book.
Subject: (May contain the following text)
[sender name] te enviou um cart?o
where [sender name] is the sender's name in the email address. For example, "name" in firstname.lastname@example.org.
Contains HTML and includes links to many predetermined Web sites.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":