When the Trojan is executed, it registers itself as the following service:
IPv6 Stack Local Support
%SystemDrive%\System32\svchost.exe -k netsvcs
It creates the following registry subkey in order to register the above service:
Next it checks for Internet connectivity by attempts to connect to the following location:
If the connection fails, it attempts to modify proxy settings in the following registry subkey in order to establish a connection:
Once Internet connectivity has been established, the Trojan downloads the following executable file:
Next, the Trojan creates the following registry entry as an infection marker:
HKEY_CURRENT_USER\Software\Microsoft\Clock\"HID" = "[RANDOM HEXADECIMAL VALUE]"
The Trojan then collects the following system information and sends it to a remote command-and-control (C&C) server:
- A list of recently accessed files
- A list of running processes
- A list of running services
- Available network shares
- Established connections and ports
- Hardware information, including: bios, network cards etc.
- Network adapter information
- Operating system information, including: version, product ID, registered owner etc.
Next, the Trojan may download more malware on to the compromised computer. It has been observed to download Backdoor.Nflog
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":