This Trojan arrives on a system as a .PPS/.PPT file that is dropped by other malware. It can also be downloaded unknowingly by a user when visiting malicious Web sites.
Upon execution, it dropsseveral files, some of which are detected as BKDR_AGENT.ADGS.
A dropped .TMP file is then injected into a running process to remain memory resident. As a result, routines of the dropped file are also exhibited on the affected system. To automate execution of the dropped malicious file, it also adds a registry entry.
It takes advantage of the following software vulnerability to drop and execute the said component file:
- Microsoft Security Bulletin MS06-012
The said vulnerability in
Microsoft Office may allow a remote user to use a malformed routing slip to execute malicious codes on the affected system.
More...