When the worm is executed, it creates the following file:
%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe
Once started, the original executable file is deleted in order to hide its presence on the compromised computer.
The worm then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM KEY]" = "%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe"
The worm then connects to one of the following command-and-control (C&C) servers and opens a back door on the compromised computer:
Next, the worm gathers information from the compromised computer and sends it to the remote attacker.
The worm may then perform the following actions:
- Spread itself through removable drives
- Spread itself through network shares
- Download and execute other malicious files
- Perform distributed-denial-of-service (DDoS) attacks through UDP or TCP flooding
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":