When the Trojan is executed, it copies itself to the following location:
It also creates the following files:
- %Temp%\[THREAT FILE NAME].exe.log
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(Default)" = "%UserProfile%\Application Data\Microsoft\svchost.exe"
The Trojan then opens a back door and allows a remote attacker to gain access to the compromised computer. It may then download more files on to the computer, update itself, and steal information from the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":