When the Trojan is executed, it drops one of the following files:
It also drops a clean file with a .doc, .pdf, or .ppt extension under the %Temp% or %CurrentFolder% directory and then opens it.
It may copy itself as the following file:
It then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Adobe Update" = "[PATH TO DROPPED FILE]"
Next, it opens a back door by connecting to the following locations and awaits commands from the remote attacker:
The remote attacker is able to perform the following actions:
- List running processes
- End processes
- Download and execute a remote file
- Execute shell commands
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":