When the Trojan is executed, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"IcpIpCfg" = "Rundll32 "%UserProfile%\Application Data\[RANDOM FILE NAME].dll" MainThread"
Next, the Trojan downloads configuration settings from the following URL:
It then saves the configuration settings to the following file before updating itself:
The Trojan sends the operating system (OS) version installed on the compromised computer to the following location:
The Trojan then monitors Internet Explorer traffic for the following URLs associated with online banking sites:
If one of the above URLs are visited, the Trojan will display a fake login screen and record any entered credentials.
The Trojan then sends the stolen credentials to the remote attacker.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":