Once executed, the worm copies itself as the following files:
- [DRIVE LETTER]:\Shell.exe
The worm then creates the following file:
The files Shell.exe and autorun.inf are created whenever a new drive is added to the computer.
The worm also drops the following file:
The worm may also drop the following file temporarily:
The worm creates the following registry subkeys so that the file %Windir%\D563BA79B410.dll is loaded into each process:
The worm monitors Internet Explorer and steals the following information:
- Accounts and passwords to the MapleStory online game
- Role and item information in the game
The stolen information is sent to the author via email and HTTP.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":