When the Trojan is executed, it attempts to replace a filter module for the Apache HTTP Server version 2.2 on Linux with its own code.
Once the threat is loaded, it performs the following actions:
- Monitors HTTP requests from remote computers
- Modifies outgoing traffic from compromised the HTTP server to remote computers
- Checks for specific search engines to make sure that the malicious component of the Web page is not sent to them
The Trojan may also open a back door and allow a remote attacker to gain access to the compromised computer.