The threat may arrive on the computer through a BitTorrent application. It has to be manually downloaded. The downloaded file may have the following zip archive file and shell script to install the threat:
When the Trojan executes, it creates the following files:
It then deletes the following file:
Next, it modifies the following file:
The Trojan sets itself to run at startup as GraphicConverter.
It then uses the resources of the compromised computer to mine bitcoins for the attacker.
It also captures screenshots and logs status information, which it saves in the following file:
It counts the number of files on the disk related to the following keywords:
It copies the information to the following file:
It then searches for the user's bitcoin wallet file. If it finds it, the Trojan appends the file to the above file.
Next, it opens a back door to a remote server on port 1900.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":