When the Trojan executes, it installs legitimate bitcoin mining software onto the compromised computer to mine bitcoins for the remote attacker.
It then creates the following files:
- %Temp%\svchoost.exe (bitcoin mining software)
- %Temp%\test.bat (a batch file that runs the bitcoin mining software with the attacker's chosen parameters)
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":