When the Trojan is executed, it creates the following files:
- %Temp%\[RANDOM NUMBER].dll
- %System%\drivers\[RANDOM NUMBER].sys
It then creates the following registry subkey:
The Trojan infects the master boot record (MBR).
It then attempts to log keystrokes and titles of active windows. It saves the gathered information in the following file:
Next, the Trojan attempts to send the gathered information to the following locations:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":