When the Trojan is executed, it creates the following files:
- %Temp%\[RANDOM FILE NAME].exe
- %UserProfile%\Application Data\[RANDOM FILE NAME].exe
Next, it creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[COMPUTER SPECIFIC STRING]" = "[PATH TO TROJAN]"
It creates the following mutex so that only one instance of the Trojan runs on the computer:
The Trojan then opens a back door on the compromised computer and downloads files from the following URLs:
It may then send spam from the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":