When the Trojan executes, it injects itself into the following process:
The Trojan then ends the original process.
Then it deletes itself from the file system.
The Trojan uses bootkit functionality to infect the following boot records so that it runs every time Windows starts:
- Master boot record
- Volume boot record
Next, the Trojan attempts to elevate its execution privileges by exploiting one of the following vulnerabilities:
The Trojan uses the compromised boot record to load malicious driver code, which enables additional components to be downloaded and code to be injected into user processes.
The Trojan may connect to the following remote locations:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":