When the Trojan is executed, it will check for a 32-bit environment to continue, or it will terminate.
The Trojan may create any of the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\"ie" = "[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[COMPROMISED SERVICE NAME]\"DependOnService" = ""
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[COMPROMISED SERVICE NAME]\"Start" = "4"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\"svcname" = "[COMPROMISED SERVICE NAME]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\"id" = "[HEXIDECIMAL NUMBER]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\"it" = "[BINARY DATA]"
The Trojan may delete the following registry entry:
The Trojan may create the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Btr\"Run" = "[BINARY DATA]"
The Trojan creates the following mutex to ensure that there is only one instance running at the same time:
The Trojan may compromise one of the services found in following registry subkey:
The Trojan may delete the file recorded in following registry entity:
The Trojan then deletes the registry entity.
The Trojan opens a back door on the compromised computer and connects to the following domain:
The Trojan may then perform the following actions:
- Gather system information
- Download files
- Execute files
- Manage files
- Manage registry entries
- Manage system processes
- Shutdown the computer
- Clear events log
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":