When executed, the Trojan copies itself as the following files:
It then creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Reader_s" = "%System%\reader_s.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Reader_s" = "%UserProfile%\reader_s.exe"
The Trojan then modifies the following file:
The Trojan then searches the compromised computer for information that may be relayed to a remote attacker.
It may also download files, including updates to itself.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":