The Trojan may arrive on the computer through phishing emails.
When the Trojan is executed, it creates the following registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\[RANDOM GUID]\ShellFolder\"[RANDOM CHARACTERS]" = "[ENCRYPTED CONFIGURATION DATA]"
The Trojan then connects to one of the following remote locations to download a botnet module:
The botnet module is copied to the following location:
- %SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].tmp
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"wwnotify" = "rundll32.dll %SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].tmp NotifierInit"
The Trojan may then perform the following actions:
- Add the compromised computer to a botnet
- Communicate with other peer nodes through the peer-to-peer (P2P) protocol to retrieve configuration details
- Download and execute additional modules
- Download and execute additional files
- Inject itself into browser processes for Internet Explorer, Chrome, and Firefox in order to monitor communications and steal information
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":