When the Trojan is executed, it creates a black screen window and appears to exit.
Next, the Trojan creates the following service:
It then displays a standard Flash icon in the application list with the following name:
The Trojan then attempts to download an XML configuration file from the following location:
The Trojan uses the configuration file to retrieve a list of further URLs to send and receive additional data.
The Trojan then posts a Json-encoded list of installed applications to the following location:
The Trojan also contains functionality to perform the following actions:
- Delete itself
- Delete SMS messages
- Send premium-rate SMS messages to the number that is specified in the downloaded XML configuration file
- Update itself
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":