When the Trojan is executed, it creates the following files, which are component files of the Trojan:
The Trojan then modifies the following files to load the above files every time Windows starts:
It creates backups of the explorer.exe and winlogon.exe files in the following locations:
It also monitors the explorer.exe and winlogon.exe files to prevent the files from being restored to their original state.
The Trojan then modifies the following registry entry to disable Windows System Restore:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"
It then monitors Internet Explorer, Firefox, Chrome, and Opera browsers, modifying search results from google.com, search.yahoo.com, and bing.com to include links to advertisements.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":