When the Trojan is executed, it creates the following files:
Next, the Trojan creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\"22222" = "%ProgramFiles%\tongji2.exe"
The Trojan then creates a service with the following characteristics:
It then injects code into the following process in an attempt to hide itself:
Next, the Trojan connects to the following remote command-and-control (C&C) server on TCP port 889 and opens a back door allowing a remote attacker to gain access to the compromised computer:
It may then delete the following file:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":