This Trojan may arrive by email as the following file:
hope see again.doc
When the Trojan is executed, it exploits the Microsoft Word Workspace Memory Corruption Remote Code Execution Vulnerability (BID 25906) for Microsoft Word 2000 and XP in order to drop and run an executable file. MS Word 2003 may crash or exit unexpectedly.
Next, the Trojan creates the following file:
The above Trojan copies itself to the following location:
It then creates the following files:
Next, the Trojan creates the following registry entry:
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folder\"Startup" = "C:\Documents and Settings\All Users\Application Data\Microsoft\Comon\ctfmon.exe"
The Trojan uses rootkit techniques and may disable security software and programs.
It also creates and opens the following file, which is a clean Microsoft Word Document written in Chinese:
%Temp%\hope see again.doc
It then opens a back door on the compromised computer and connects to the following location on TCP port 80:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":