When the Trojan is executed, it copies itself as the following file:
%UserProfile%\[RANDOM FILE NAME].exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update Server" = "%UserProfile%\[RANDOM FILE NAME].exe"
It then injects itself into the following processes:
It also creates the following Named Mapping file:
The Trojan steals the following information:
- Computer locale
- Details regarding the hard disk drive (HDD)
- Operating system version
Next, it sends the stolen information to the following IP address:
The Trojan then queries DNS requests with generated domains to obtain a domain name or IP address, which it injects as a script tag after the </HTML> tag.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":