This threat may arrive on the computer through email or drive-by download as one of the following files:
When the Trojan is executed, it copies itself to the following location:
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\"Microsofts" = "%Windir%\csrcs.exe"
The Trojan then connects to a remote location, downloads a malicious version of the hosts file, and saves it to the following location:
The modified hosts file redirects the user from legitimate websites to malicious sites.
It may then steal information from the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":