The Trojan adds files downloaded from remote websites to the registry to help its creator gain unauthorized access to the user's computer. The Trojan steals information that is entered or saved by the user.
To stay hidden, it hides itself in currently running programs so it cannot be detected easily, it also deletes the file that it was run from. It terminates itself if it detects that it is being run on a virtual machine to try to hide from antivirus companies from researching its behavior.
It affects Windows variations from Windows 98 to Windows Vista.
It creates these files on the System folder, depending on variant:
Creates these values ("value" = "content"):
- "svchost" = "%System%\Svch0st.exe"
- "winlogon" = "%System%\Winlogon.exe"
- "system" = "%System%\Explorer.exe"
- "ravmond" = "%System%\Explorer.exe"
Under these keys:
If the system is Windows NT, adds one of these values:
- "run" = "%system%\svch0st.EXE"
- "run" = "%system%\ravmond.exe"
Under this key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
If the system is Windows 98, adds the value "C:\WINDOWS\SYSTEM\SVCH0ST.EXE" to "run" value in "win.ini".