When the Trojan is executed, it creates the following files:
- %CurrentFolder%\[RANDOM NUMERIC CHARACTERS].bat
- %Temp%\[RANDOM ALPHANUMERIC CHARACTERS].tmp
The Trojan then modifies the NTFS boot sector's Initial Program Loader (IPL) in order to load the threat directly from the hard disk.
It then writes a malicious driver component after the master boot record (MBR).
Next, the Trojan deletes the above files, restarts the computer, and then loads the malicious driver component into memory using the modified NTFS sector's IPL.
The Trojan then monitors for any of the following processes and injects a DLL component into them:
The Trojan can then modify HTML within the browser in order to display its own potentially malicious HTML.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":