A Trojan implemented as a dynamic-link library. There are two modifications of this malicious program—for 32-bit and 64-bit Windows versions. The Trojan is installed on the system by means of a dropper implemented as an executable file. The dropper decrypts the library saving it under a random name into %windir%\System32\%random%.dll and recording it as AppInit_DLLs in the system registry.
The library is injected into browser processes and into explorer.exe and svchost.exe if svchost.exe is run with the "-k netsvcs" parameter.
The Trojan can perform the following actions: download and launch executable files, intercept browser network functions, launch browsers without user knowledge, generate traffic for certain webpages, update itself, communicate with a remote command and control center.