When the Trojan is executed, it creates the following file:
The Trojan may infect drivers in the following location:
Infected driver files are detected as W32.Ratavar!inf
Next, it creates a service using the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM REGISTRY SUBKEY VALUE]
The Trojan then connects to the following remote location:
The Trojan may then download other malware onto the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":