An infected website asks for user permission to run a malicious .jar file. The .jar file determines the user's operating system and downloads a file dependent on whether the operating system is Windows, Linux, or Mac OS.
The Trojan then downloads and executes an installer which copies a file to the following location:
Next, the Trojan opens a back door on the compromised computer.
The Trojan may also create the following administrative user accounts:
- User name: dark
- Password: P@55w0rd
- User name: tod
- Password: password
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":