When the Trojan is executed, it copies itself to a random folder using a random name.
The threat may also rename itself as one of the following legitimate programs:
- %UserProfile%\Application Data\Microsoft\Internet Explorer\wpnpinst.exe
- %UserProfile%\Application Data\Microsoft\MMC\tsdiscon.exe
The Trojan then gathers system information from the computer and stores it in the following registry entry, which also starts the Trojan when Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[GATHERED SYSTEM INFORMATION IN UUID FORMAT]" = "[PATH TO THE TROJAN]"
Next the threat uploads system information about the compromised computer and downloads configuration data from one of the following domains:
It makes regular requests to the following pages from the above command-and-control (C&C) servers:
The Trojan uses rootkit functionality to hide its presence on the compromised computer.
It also intercepts network traffic and attempts to add malicious code into the network traffic, depending on the configuration data it receives.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":