This Trojan may arrive as a malicious document that exploits one of the following vulnerabilities:
When the Trojan is executed, it may create the following files:
Next, the Trojan may create the following registry subkeys:
The Trojan then attempts to steal account information from the compromised computer. In particular it targets the following email clients:
It may also attempt to steal account information for the following services:
The Trojan also attempts to steal keystrokes and clipboard data.
Next, the Trojan may contact one of the following URLs using HTTP:
- [REMOVED]/~svtq/cgi-bin/[PAGE NAME].cgi?[RANDOM ID]
Where [PAGE NAME] can be any of the following strings:
The Trojan may also attempt to send emails to certain email addresses.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":