The infected Microsoft Word and Microsoft Excel files contain macro code that executes a Microsoft PowerShell script.
It then connects to the following remote locations in order to download additional files:
The downloaded files are saved to the following locations:
- %UserProfile%\Application Data\[GUID]\tor.exe
- %UserProfile%\Application Data\[GUID]\polipo.exe
Next, tor.exe is used to connect to the following location and download additional Microsoft PowerShell script:
http://powerwormjqj42hu.onion/get.php?s=setup&mom=[GUID ONE]&uid=[GUID TWO]
It then uses polipo.exe to open a Web proxy using port 8123. This proxy is used by tor.exe to connect to the Tor network.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":