The Trojan is usually dropped by a specially crafted RTF document which exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability
When the Trojan is executed, it creates the following files:
The document.doc file is not malicious.
The Trojan creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Display Card Driver" = "rundll32.exe %System%\msdap.dll,Display"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Display Card Driver" = "rundll32.exe %System%\msdap.dll,Display"
The Trojan creates the following mutex so that only one instance of the threat executes on the computer:
The Trojan then opens a back door on the compromised computer and connects to port 8081 on the following IP address:
The Trojan may perform the following actions:
- Download files
- Upload files
- Execute commands
- Delete registry Run keys
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":