This worm is generated by the Spy-Net RAT toolkit, and as a result the files and registry entries can be determined by the attacker. The files, registry entries, processes, and mutexes listed below are default values presented by the toolkit.
When the worm is executed, it creates the following files:
It then creates the following registry entry, so that it starts when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"Policies" = "c:\dir\install\server.exe"
The worm then opens a back door using a predetermined port and IP address, allowing an attacker to perform the following actions on the compromised computer:
- Read, write, and execute files
- Steal stored passwords
- Issue commands
- Activate and view a webcam, if present
- Log keystrokes
- Create a HTTP proxy to route traffic through the compromised computer
The worm may also create a rootkit that hides any registry entries or files that begin with the "SPY_NET_RAT" string.
The threat may also inject itself into the iexplorer.exe process, or another predetermined process, so that it starts when the process starts.
It also creates a mutex named ***MUTEX*** (or another value determined by the attacker) to prevent multiple instances of the threat from running.
The worm spreads by copying itself to removable drives and the share folders of file-sharing programs, such as Limewire and Bearshare.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":