It also changes the registry so that its copy automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Sets value: "59870" With data: "<location and name of the malware file>"
The threat creates an instance of the system process wuauclt.exe, into which it injects code.
USB flash drives
Depending on the malware configuration, the threat might copy itself to USB flash drives. It creates the file autorun.inf, which points to its copy. This copy is automatically run if the flash drive is accessed from another PC that has enabled the Autorun feature.
Communicates with a remote server
The threat tries to connect to the following servers via HTTP GET:
It retrieves commands from the server that might tell it to do any of the following:
Download and run other files, which might be malware
Download and load modules, which might add to the malware's functionality