When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\[RANDOM LETTERS].exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\[RANDOM LETTERS]\"CurrentPath111" = "%CurrentFolder%\[THREAT NAME].exe"
The Trojan contains an embedded DLL file which is unpacked into memory. The DLL file can download and execute payloads or inject them into existing processes.
The Trojan downloads and executes potentially malicious files from the following URLs:
This Trojan has been known to download W32.Phopifas
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":