The Trojan arrives on the compromised computer through exploit kits.
When the Trojan is executed, it creates the following files:
- %UserProfile%\Application Data\verison.dll
- %UserProfile%\Start Menu\Programs\Startup\HpM3Util.exe
The Trojan creates the following registry entries:
- HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM\"tLast_ReadedSpec"=%BinaryData%
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"twunk_32.exe"=%DWORDvalue%
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"winhlp32.exe"=%DWORDvalue%
The %DWORDvalue% may vary depending on the version of Internet Explorer installed on the compromised computer.
The Trojan connects to URLs created by its own domain generation algorithm.
The Trojan downloads and executes potentially malicious files on the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":