The Trojan propagates through spam emails. The attackers may include links to the malware in the emails, embed the malware into attached files, or place the malware in attached password-protected archives. The malware usually disguises itself using the icon of a legitimate file, such as Adobe Acrobat or Reader.
When the Trojan is executed, it drops a copy of itself under the following file name:
- %UserProfile%\Local Settings\Temp\[RANDOM FILE NAME ONE].exe
The Trojan serves as an initial infection vector for other threats. It downloads potentially malicious files from arbitrary URLs, such as the following:
The Trojan saves downloaded files under the following file name:
- %UserProfile%\Local Settings\Temp\[RANDOM FILE NAME TWO].exe
The Trojan has been observed downloading the following malware, among others:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":