The threat may arrive on the compromised computer by being downloaded via browser exploits or social engineering.
Once executed, copies itself as the following files:
It also creates the following clean file:
It modifies the the hosts' DNS servers to one of the following sets of IP addresses:
It then updates crontab to run the following script:
This script ensures the DNS server entries are reverted back to the above IP addresses if they are updated.
It then sends the CPU type, the User Identifier (UID), and the hostname to the following URL:
The Trojan then deletes the file /Library/Internet Plug-Ins/sendreq.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":