This Trojan may arrive as a .cab file.
When the .cab file is opened, the Trojan creates the following file, which is a Windows Telephony file:
The above file may also be used by other malware.
The Trojan also creates the following file, which is a malicious dialer program:
It then copies the above file to the following location:
Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\Alpha\"Status" = "1"
The Trojan then attempts to call the following high-cost international numbers:
It also tries to run itself again after one month.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":