When the Trojan is executed, it creates the following files:
- %SystemDrive%\MSOCache\MS[THREE DIGITS].log
The threat modifies the attributes of the files in order to hide them from the user.
The Trojan creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"GlitchInstrumentation" = "%SystemDrive%\MSOCache\Ron.exe\"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"GlitchInstrumentation" = "%SystemDrive%\MSOCache\Ron.exe\"
The Trojan creates the following mutex so that only one instance of the threat is running:
The Trojan collects system information and stores it in the following file:
It also gathers files with the following files extensions:
It saves the gathered files in the following file:
The Trojan also logs keystrokes and open window titles, and saves the information in the following file:
The Trojan then uploads the stolen information to the following locations:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":