When the Trojan is executed, it copies itself to the following locations:
The Trojan then drops the following files:
- %UserProfile%\Application Data\BIFIT_A\bifit_a.cfg
- %UserProfile%\Application Data\BIFIT_A\bifit_agent.jar
- %UserProfile%\Application Data\BIFIT_A\javassist.jar
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"bifit_agent" = "%UserProfile%\Application Data\BIFIT_A\agent.exe"
The Trojan then opens a back door on the compromised computer, and connects to the following domain:
http :// 18.104.22.168/site1/client.php
It may then perform the following actions:
- Create new processes
- Download files
- End processes
The Trojan then modifies Java code in online banking applications in order to steal confidential information.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":