When the worm executes, it may create the following files:
- %SystemDrive%\Documents and Settings\Default User\Application Data\Bitcoin\wallet.dat
- %Temp%\[HEXADECIMAL VALUE].dmp
- %UserProfile%\[FOUR TO SEVEN RANDOM CHARACTERS].exe
- %UserProfile%\Application Data\Bitcoin\wallet.dat
- %UserProfile%\Local Settings\Application Data\Bitcoin\wallet.dat
Next, the worm creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"intelagent" = "%Windir%\Temp\temp68.exe"
It may also create the following registry entries:
- HKEY_CURRENT_USER\Software\Intel\"DATA" = "[HEXADECIMAL VALUE]"
- HKEY_CURRENT_USER\Software\Intel\"DATA2" = "[HEXADECIMAL VALUE]"
- HKEY_CURRENT_USER\Software\Intel\"DATA3" = "[HEXADECIMAL VALUE]"
- HKEY_CURRENT_USER\Software\Intel\"DATAID" = "[HEXADECIMAL VALUE]"
The worm then creates the following registry subkey:
Next, the worm opens a back door on TCP port 80 and UDP port 53 and awaits further instructions from a remote attacker, which may include:
- Download and execute files
- Send email
- Steal information from the compromised computer
The worm may then attempt to steal sensitive information from network traffic, including:
- Bitcoin wallets
- FTP user name
- FTP password
It may also download other executable files on to the compromised computer.
The worm may send spam emails with a link that leads to a malicious file, which is usually a copy of itself.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":