This Trojan may arrive on the compromised computer through the Microsoft Internet Explorer CSS Tags Remote Code Execution Vulnerability
When the Trojan is executed, it creates the following files:
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\ctfmon.exe
The Trojan then modifies the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup = "%CommonPrograms%"
Next, the Trojan opens a back door on the compromised computer and connects to a folder on a remote server. The folder will have one of the following names:
The Trojan then downloads .gif files that contain encrypted commands for the back door.
The backdoor can perform the following actions:
- Set and display configuration data
- Execute commands using cmd.exe
- Download and upload files
- List and end processes
- End commands
- Remove the backdoor
If the Trojan detects an open Internet Explorer session, it will create the following file and then inject it into the process:
The Trojan may also make a copy of clean files and add encrypted configuration data to them.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":