The worm is known to spread through removable drives and P2P file-sharing networks.
The worm is related to the following remote access tools (RATs):
When the worm is executed, it creates the following file:
The worm then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"Policies" = "%Windir%\installdir\server.exe"
File and registry entry locations are default locations and may be changed by the attacker.
The worm opens a back door on the compromised computer, allowing an attacker to perform the following actions:
- Access files
- Steal stored passwords
- Issue commands
- Activate and view a webcam
- Record keystrokes
- Create an HTTP proxy
- Connect to a control server on TCP
The worm may inject itself into iexplore.exe, or any customizable process.
The worm creates the following mutex:
This mutex is default and may be changed by the attacker.
The worm then spreads to removable drives and P2P networks by copying itself into shared folders.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":