Also Known As:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
When the Trojan is executed, it copies itself to the following location:
Next, it creates the following folder:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Backups
The Trojan then takes screen shots and saves them to the following location:
Note: Where [NUMBER] starts at 0 and increments by 1 for each screen shot that is taken.
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Google Updater" = "%UserProfile%\Application Data\Microsoft\SysAudio.exe"
The Trojan also records the following information:
Title bars of open windows
The stolen information is then sent to the following location in an email format:
Reply with quote