When the Trojan is executed, it creates the following file:
The above file is then copied to the following location:
The Trojan also creates the following configuration file that stores command-and-control (C&C) server information:
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Micorsoft\Windows\CurrentVersion\Run\"Update" = "%UserProfile%\Application Data\googleupdate.exe"
It also creates the following registry entry:
HKEY_CURRENT_USER\Software\Classes\"softbin" = "[BINARY DATA]"
Next, the Trojan ends any of the following antivirus-related processes, if present:
It may then inject code into certain processes on the computer.
Next, the Trojan opens a back door and allows a remote attacker to gain access to the computer.
It then collects system-related information and may send it to a remote location.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":