When the Trojan is executed, it creates the following registry entries so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Certificates\"DLLName" = "Jpklib.dll"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Certificates\"StartShell" = "WLEventStartShell"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Certificates\"Startup" = "WLEventStartup"
The Trojan then creates the following registry subkey:
It then loads encrypted configuration data from the above registry subkey and then decrypts it.
The decrypted configuration data includes the following:
- Binding port
- Self update, upload, and proxy server locations
Next, the Trojan searches for the following files related to security programs:
The Trojan has the functionality to close windows and terminate processes related to security programs.
The Trojan may search for files on the compromised computer with the following extensions:
It will then send the gathered information to the following remote location:
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform the following actions:
- Terminate or delete the service
- Restart the computer
- Change the binding port
- End processes
- Update itself
- Create and delete directories
- Move files
- Alter the registry
The Trojan may also download configuration data from the following locations:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":