The Trojan may be dropped by Trojan.Mdropper
When the Trojan is executed, it creates the following registry entries:
The Trojan uses the Microsoft Windows CVE-2015-0016 Remote Privilege Escalation Vulnerability
to escalate privileges on the compromised computer.
The Trojan then checks if the compromised computer has the PowerShell or .NET frameworks. If not, it will download the installers for these frameworks from the official Microsoft website.
The Trojan may then perform the following activities:
- Receive commands from the remote attacker
- Delete the binary program
- Perform click-fraud activities
For more information, please see the following resource(s):
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":