1. Copies itself as:

· %System%\Swchost.exe
· %System%\Svohost.exe
· %Startup%\Svchost.exe

2. Creates the following files:

· %Windir%\Rundlln.sys
· %Windir%\Prntsvr.dll
· %Windir%\Temp\feff35a0.htm
· %Windir%\Temp\fe43e701.htm
· %Windir%\Temp\fa4537ef.tmp

3. Adds the value:

"load32"="%System%\swchost.exe"

to the registry key:

HEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run

so that the Trojan runs when you start Windows.

4. Creates and loads a .dll file to capture keystrokes. Known variants have used %Windir%\Prntsvr.dll as the file name.

5. May create the registry keys:

· HKEY_LOCAL_MACHINE\SOFTWARE\SARS
· HKEY_USERS\.DEFAULT\SOFTWARE\SARS

6. Modifies the value data of:

Shell

in the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT
\CurrentVersion\Winlogon

from:

"explorer.exe"

to:

"explorer.exe %System%\svohost.exe"

so that the worm runs when you start Windows NT/2000/XP.

7. Modifies the %Windir%\System.ini file by changing the value:

"Shell"="Explorer.exe"

to:

"Shell"="explorer.exe %System%\svohost.exe"

so that the worm runs when you start Windows 95/98/Me.

8. Looks for windows that have the following string in the title bar:

http:/ /www.whatpornsite.com/css/logger.php

This Trojan captures the keystrokes that are typed into these window and stores them in a log file.

9. Captures the window title and keystrokes that are typed into open windows. The Trojan stores them in the log file, %Windir%\Prntk.log. Other stolen information that may also be stored in this file include the IP address of the infected computer and sy
stem information, such as the operating system and Internet Explorer version. It may also try to steal FAR Manager and FTP Commander passwords, and protected storage data.

10. Launches a thread that monitors the clipboard, saving any data that is found to a log file. This file is named %Windir%\Prntc.log.

11. Periodically checks the size of the files it uses for logging stolen information. When the files reach a certain size, the stolen information will be copied into an email-formatted file using the Trojan's built-in SMTP engine. The Trojan retrieves th
e details of the registered owner from the registry and uses these details in the file.

The email-formatted file has the following characteristics:

From:
To: you

12. Writes an HTML file containing the stolen data to %Windir%\TEMP\feff35a0.htm.

13. Writes a raw MIME message containing the stolen data to %Windir%\TEMP\fa4537ef.tmp.

14. Listens on TCP ports 1001 and 10000 for remote instructions.

15. Disables access to certain antivirus Web sites by adding the following lines to %System%\Drivers\etc\hosts:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com