When the Trojan is executed, it copies itself to the following locations:
%UserProfile%\Application Data\System\[THREAT NAME].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[THREAT NAME]" =
"%UserProfile%\Application Data\System\[THREAT NAME].exe"
The Trojan then connects to a command-and-control (C&C) server using the following URL then waits for commands:
[C&C SERVER ADDRESS]/cmd.php
Where [C&C SERVER ADDRESS] is one of the following:
It will also download lists of common user names and passwords and use them in brute force attacks against a list of target hosts.
The Trojan will send back successful credentials to the C&C server using one of the following URLs:
- [http://][C&C SERVER ADDRESS]/bruteres.php
- [http://][C&C SERVER ADDRESS]/checkres.php
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":