When the Trojan is executed, it creates the following file:
%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft Windows Application" = "%UserProfile%\Application Data\[RANDOM CHARACTERS FILE NAME].exe"
It then creates the following mutex:
Next, the Trojan may inject itself into one of the following legitimate processes:
The Trojan may use one or more of the following domains to test connectivity:
The Trojan then opens a back door on the compromised computer, and connects to one of the following domains in order to receive commands:
The Trojan may then use the compromised computer to perform distributed denial-of-service (DDoS) attacks.
When performing a DDoS attack, the Trojan selects a user-agent string from a list in order to circumvent traditional server-side DDoS mitigation techniques.
The Trojan also collects the following information from the compromised computer:
- Host name
- OS version
- User name
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":