This threat masquerades as a video player and must be manually downloaded.
When the Trojan is executed, it creates the following files:
The Trojan also installs one of the following files:
The Trojan then installs an NDIS driver, using the following file name:
It also creates a services with the following characteristics:Display Name:
It creates the following registry subkey for the above service:
It also creates the following registry subkey to register another service:
It may also create the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\speednet_sph\"PathName" = "%System%\netplayone\netplayone.dll"
It then modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\"PackedCatalogItem" = "%System%\netplayone\netplayone.dll"
The Trojan intercepts HTTP traffic. This traffic may be modified to display advertisements using a hidden iframe tag. It may also change affiliate ID values. Ads and affiliate values are obtained from the following URLs:
The Trojan intercepts traffic going to antivirus-related sites and blocks it. The blocked traffic will contain the following strings:
The Trojan will then modify searches from sogou.com.
It also deletes cookies from the following websites:
The Trojan then downloads further configuration data from the following locations, allowing it to perform further actions:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":