When the Trojan is executed, it reads configuration data from the following location:
[PATH TO TROJAN]\httpclient.txt
The Trojan then uses a custom encrypted protocol to connect to a remote command and control server to check for the following commands:
- Execute cmd.exe
- Create TCP proxy tunnels
- Read or write files
The Trojan may use an NT LAN Manager (NTLM) proxy server to secure communications.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":