The Trojan works on both Windows and Mac platforms.
Once executed, the Trojan downloads two configuration files from the following locations:
The above configuration files contain URLs used to download plugins and an installer module which are copied to the following locations:
- Mac: $HOME/Library/LaunchAgents/SysJar
- Windows: %UserProfile%\Application Data\SysJar
The Trojan then creates the following files and registry entries so that it runs every time the computer starts:
- $HOME/Library/LaunchAgents/[PLUGIN NAME].plist
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[PLUGIN NAME]
Currently [PLUGIN NAME] is either minesender.jar or SecCorrect.jar.
Next, the Trojan downloads a list of email addresses from the following location:
The Trojan then steals login credentials for the game Minecraft from the compromised computer. It then encrypts the stolen information and sends it to one of the downloaded email addresses.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":