The Trojan will add a file to the following folder so that it runs every time the computer starts:
The Trojan is aware of virtual machines and checks /proc/scsi for the following strings:
The Trojan checks to make sure it is not running in a chroot-ed environment.
The Trojan opens a back door on the compromised computer and connects to a port received from the command-and-control server.
Note: The Trojan can be configured to connect to different servers and ports.
The Trojan steals information from the following browsers:
The Trojan stops communicating with the command-and-control server if it finds an active monitoring program in memory.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":