When the Trojan is executed, it drops the following files:
The Trojan has a Windows component and a Linux component.
The Windows wiper component has the following functionality:
The Trojan runs %Temp%\AgentBase.exe as a process.
The Trojan ends the following security processes:
The Trojan creates a thread that enumerates physical drives and writes over them, until the end of the disk with one of the following words:
The Trojan also tries to write over all physical disks and removable drives.
The Linux wiper component has the following functionality:
The Trojan looks for saved credentials at the following path:
%UserProfile%\Local Settings\Application Data\Felix_Deimel\mRemote\confCons.xml
The Trojan creates a thread that drops a bash script to the following location:
The bash script is a wiper designed to work with any Linux distribution, with specific commands for SunOS, AIX, HP-UX distributions. It wipes out the /kernel, /usr, /etc, and /home directories.
The Trojan parses the connection information from mRemote's configuration file.
The Trojan uploads the script using SSH and executes it as /tmp/cups on a remote Linux computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":