When the rootkit executes, it creates the following folders:
It also creates the following files:
Next, the rootkit overwrites the following file with a malicious component, which opens a back door on the compromised computer:
The rootkit hides its presence on the computer by hooking the following OS syscalls:
It then connects to a remote host, which can be specified by the attacker.
The remote host is chosen by sending a specially crafted request with a passkey from a local or a remote shell, for example:
The rootkit enables a remote attacker to execute commands with full system privileges.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":