The Trojan may arrive on the computer by exploiting the following vulnerability:
Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability
The Trojan may also arrive as a specially-crafted Microsoft Word document, which exploits the Microsoft Office RTF File Stack Buffer Overflow Vulnerability
When the Trojan is executed, it creates the following file:
C:\Documents and Settings\Administrator\Application Data\updatesvc.dll
It may also create the following files:
- %UserProfile%\Application Data\Microsoft\Internet Explorer\IEXPL0RE.EXE
- %Temp%\perf[FOUR OR FIVE RANDOM CHARACTERS].dat
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rundll32.exe" = "rundll32.exe "C:\Documents and Settings\Administrator\Application Data\updatesvc.dll",start"
The Trojan then downloads and executes a file from the following location:
The following file is then dropped on to the compromised computer:
The following registry entry is created so that the above file executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"rundll32.exe" = "rundll32.exe "%UserProfile%\Application Data\mstime.dll",start"
Next, the Trojan downloads a file from the following location, which contains a .zip file:
The .zip file contains a file named ok.exe, which drops the following file:
It then installs a service so that the above file runs whenever the computer starts.
The Trojan may then connect to the following locations:
It may also download a file detected as Trojan horse
from the following location:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":