When the Trojan is executed, it creates the following file:
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"Load" = "%UserProfile%\Application Data\svchost.exe"
The Trojan creates the following mutex:
The Trojan then gathers the following information from the compromised computer and sends it to the remote attacker:
- Credit card related information
- System information
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":