The Trojan will display such picture containing some text in Japanese.
Once executed, the Trojan copies itself as the following files:
It then creates the following files:
C:\MI3\LOOT.TXT – trace route output
C:\MI3\IP.TXT – IP address of the victim
C:\MI3\SHOT.BMP – screenshot of the desktop
Then it replaces random files from the current drive with a picture
contained within the Trojan and also changes the file extension to .jpg.
The files may be any type, including documents and executables.
It then deletes all files from all folders found under:
It takes screenshots of the desktop and saves them to :
It executes the following command:
command.com /C tracert www.yahoo.co.jp
It then stores the output to the following file:
The Trojan connects to the following ftp server:
Then it creates a folder containing the local logged user name,
the date and the IP address into the above mentioned ftp location
using the following account:
The Trojan stores the following information in the created folder:
IP[COUNTER].TXT – contains the output of the tracert command
*.BMP – BMP images that contain screenshots of the desktop
The other following pictures when it executed.