When the Trojan is executed, it copies itself as the following file:
%UserProfile%\Application Data\[FILE NAME].exe
File name is one of the following:
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[FILE NAME]" = "%UserProfile%\Application Data\[FILE NAME].exe"
Next, the Trojan creates the following mutex:
It then collects the following information and sends it to a remote location:
- Computer name
- Path of threat
- System volume/serial number
- Version of threat
The Trojan also enumerates the running processes on the compromised computer and sends statistics to a remote location.
Statistics on the following processes are not recorded:
The preceding information is sent to one or more of the following remote locations:
The Trojan may also download updates of itself if necessary.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":