This Trojan is written in Visual Basic and has an approximate size of 45 kilobytes. When run it searches the hard disk for files with the following extensions:
If a file with any of these extensions is found, the malware creates a copy of itself in the folder where the file has been found appending .exe to the filename. For example if the file is located in C:\example\picture.jpg, the malware will create a copy of itself as C:\example\picture.jpg.exe.
When run, the Trojan will create a hidden folder derived from the name of the executable (by appending an “l”) and open it in explorer. For example, if the user runs the malware located at C:\example\picture.jpg.exe, it will create the folder C:\example\picturel. After creation, the folder will be opened in explorer, giving the impression that the user double-clicked on a folder rather than an executable. The malware has also an icon similar to the folder icon used by the Windows Explorer (a social engineering trick frequently used by malware).
The malware marks the fact that it was run by creating a value named “1” set to “T” in the registry key “HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\LA\run”.
The malware searches for components of Symantec's Norton Antivirus and tries to disable them by overwriting the executables. Specifically it searchers for: