Once executed, the Trojan creates the following files:
- %System%\[RANDOM NAME].sys
It will also create the following file and then delete itself:
The Trojan creates the following hidden registry subkey to run the rootkit driver when the machine starts:
It also creates the following registry entry to act as an infection marker:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi\"MachineNum" = "[XXXXXX-YYYYYY-ZZ]"
where [XXXXXX-YYYYYY-ZZ] is a combination of letters and numbers.
The threat runs only in Kernel mode and uses rootkit techniques to hide files, registry keys, and network connections.
The rootkit hooks the following kernel functions to hide its registry keys:
It also hooks the following kernel routine of NTFS filesystem driver to hide its files: \FileSystem\Ntfs\IRP_MJ_CREATE
It patches TCP/IP network drivers chain to bypass completely firewalls, IDS systems, and network sniffer tools.
The rootkit also works in Windows Safe Mode.
Next, the Trojan attempts to connect to one of the following URLs and download configuration files to send spam:
The configuration file contains the following files used by the spam routine:
It then sends spam to email addresses contained in the configuration files.
The Trojan may delete log files from the following path:
It may also uninstall and delete additional files related to malicious rootkit drivers, if present:
It has been reported that it is downloaded from the following URL:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":