The Trojan is a Trojan.Dropper
which can drop a variety of different files. A dropped file may include other malware such as Trojan Horse
, and Backdoor.Darkmoon
When the Trojan is executed, it drops the following files:
Some of these files may be renamed or deleted.
The Trojan also creates one of the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[VARIABLE]" = "%Temp%\[VARIABLE]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[VARIABLE]" = "rundll32.exe %Temp%\[VARIABLE] [EXPORTED FUNCTION] 0"
[VARIABLE] here includes a portion of the name of the above dropped files and [EXPORTED FUNCTION] is a function.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":