When the Trojan is executed, it creates the following log file:
The Trojan will write the following information to the log file:
- Operating system version
- Randomly generated name
The Trojan drops and loads the following file:
%System%\[EIGHT RANDOM HEXADECIMAL NUMBERS].sys
The Trojan saves the Master Boot Record and then overwrites it to execute its own loader.
The Trojan loads and executes the saved Master Boot Record.
The Trojan may replace sfc_os.dll with a malicious DLL file.
The malicious DLL file is a downloader and it may download and run a malicious file from the following address:
The Trojan stores the malicious DLL file in the sectors immediately after the saved Master Boot Record.
The DLL is hidden from Windows users and will be used by the Trojan during system start up.
The Trojan will attempt to terminate antivirus software.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":