When the Trojan is executed, it may copy itself to any of the following locations:
It installs itself as a module for the Apache HTTP server.
Next, the Trojan connects to the following location to obtain some HTML code:
The Trojan may then inject the custom HTML iFrame code from the above location into visited Web pages.
The injected iFrame HTML code points to another website that hosts an exploit kit.
It may then download a copy of Trojan.Zbot
on to the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":