According to analysis conducted by antivirus vendor F-Secure, the Webber Trojan consists of three components: an EXE downloader, an EXE Trojan, and a DLL component. Both the main Trojan components and the DLL are randomed once dropped or copied onto the system. Webber then modifies the following registry keys: 

HKCR\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}    InProcServer32 = %trojan DLL name%    ThreadingModel = Apartment   HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad    Web Event Logger = {79FA9088-19CE-715D-D85A-216290C5B738}  

The downloader component is responsible for downloading and installing a hidden proxy server on the infected system which can listen to up to 100 different connections, reporting the IP address of the infected system and any cached passwords to a hard-coded URL. According to F-Secure, Webber also downloads other executable files onto the system.

"In essence, we have a situation involving the creation of an illegal, extended network that is being exploited by hackers to mass mail spam using the resources of victim computers, " commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs. "What is most troublesome is that this network can also be abused to achieve virtually any goal, including conducting hacker attacks on a global scale and DDos attacks on the Web resources of large corporations or government institutions."

Though antivirus vendors have been quick to release signature updates for the Webber Trojan, users are advised to remain cautious about opening any email attachment received unexpectedly. Kaspersky Labs provides a handy online scanner that scans individual files, making it an ideal checkpoint for email attachments. Simply save the email attachment to the local drive or floppy disk, then upload it to the Kaspersky On-line Virus Checker to scan the file before opening. Of course, the best protection is to simply delete any executable-type email attachment that is received unexpectedly.