When the Trojan is executed, it creates the following files:
- %UserProfile%/My Documents/AppData/explorer.exe
- %UserProfile%/My Documents/AppData/explorer.dat
- %UserProfile%/My Documents/AppData/
- %UserProfile%/My Documents/AppData/exp.dat
- %UserProfile%/My Documents/AppData/exp.exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"~backup~" = "%UserProfile%/My Documents/AppData/explorer.exe"
The Trojan has virtual machine detection capabilities.
It searches for and disables security products from the following vendors:
- Bit Defender
- Microsoft Security Essentials
The Trojan can inject code in the following browsers:
- Internet Explorer
The Trojan may then redirect the above browsers to any of the following remote locations:
Next, the Trojan gathers the following information from the compromised computer and sends it to one of the above remote locations:
- Operating system version
- Virtual machine details, if present
- Processor type
The Trojan may also modify the HTTP request header to make it appear to be coming from another location.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":