Once executed, the Trojan copies itself to the following location:
It then creates the following file:
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run\"JavaUpdate" = "%Temp%\update.jar"
The Trojan then connects to the following remote location to update its list of command-and-control (C&C) servers:
Next, it gathers the following information and sends it to the C&C server:
- Host name
- Operating system version
- Java version
- User name
- Process list
The Trojan then opens a back door on the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":