When the worm executes, it checks for the presence of the following shared memory object:
If the above shared memory object exists, the worm ends the process that owns it and then creates a new one with the same name. The worm does this so that only one instance of the threat is running on the compromised computer.
Next, the worm drops the following files:
It then creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MozillaAgent" = "%CurrentFolder%\[ORIGINAL THREAT FILE NAME].exe"
The worm also creates the following registry entries:
- HKEY_CURRENT_USER\Software\Mozilla\"AppID" = "[RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\Software\Mozilla\"ID" = "[RANDOM NUMBER]"
- HKEY_CURRENT_USER\Software\Mozilla\"ID2" = "[BINARY DATA]"
- HKEY_CURRENT_USER\Software\Mozilla\"ID3" = "[BINARY DATA]"
Next, the worm creates a service with the following characteristics:
WinPcap Packet Driver (NPF)
It then creates the following registry subkey in order to register the above service:
Next, the worm opens a back door on TCP port 80 and awaits further instructions from a remote attacker, which may include:
- Download and execute files
- Send email
- Steal information from the compromised computer
The worm then searches for email addresses on local drives by searching all files that do not have the following extensions:
It then sends an email message to the collected email addresses.
The threat may also spread by copying itself to removable drives as the following file:
It may also create a link to itself on the removable drive as the following file:
%DriveLetter%\Shortcut to Sony.lnk
The worm may then attempt to steal sensitive information from network traffic, including:
- FTP user name
- FTP password
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":