When the Trojan is executed it copies itself to the following location:
It then modifies login items so that it runs every time OSX starts.
Next, the Trojan opens a back door on the compromised computer.
The Trojan may then perform the following actions:
- Connect to a command-and-control (C&C) server
- Execute remote commands
- Install applications
- Retrieve information on running processes
- Retrieve system information
- Steal mail application and browser passwords
- Take screenshots
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":