When the Trojan is executed, it may drop the following configuration file:
Next, it registers itself as a service by creating the following registry subkey:
The Trojan may then open a back door on the compromised computer and communicate with a command-and-control (C&C) server using http on UDP port 501.
It may also be configured to use a UDP port between 1 and 255.
It then allows a remote attacker to perform the following actions on the compromised computer:
- Close IP connections
- Enumerate and end any running processes
- Open a remote shell
- Retrieve information from the computer (for example, the IP address and the current date)
- Stop executing the Trojan
The Trojan may also monitor network traffic on the compromised computer.
It can also modify the firewall configuration in order to disable notifications and accept the UDP communications that are being used by the threat.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":