When the Trojan is executed, it copies itself to the following location:
Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups
The Trojan then takes screen shots and saves them to the following location:
Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"
The Trojan also records the following information:
- Title bars of open windows
The stolen information is then sent to the following location in an email format:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":