When run, the trojan installs itself to system. It copies its file as SYSTEM.EXE to Windows System directory and creates the following entry in the System Registry:
"ssgrate.exe" = "%winsysdir%\system.exe"
where %winsysdir% is the name of Windows System directory.
The trojan also creates another entry in the Registry where it stores its internal variables.
Then the trojan starts a thread that accesses 15 different websites and opens a PHP page there with certain parameters. This way the trojan reports its ID, proxy port and IP of infected computers to its authors.
After that trojan starts a thread that terminates processes with the following names:
The trojan has 3 links in its body that point to a data stealing trojan that is located on 3 different websites. This trojan is detected as 'Trojan.PSW.Ldpinch.as'. The infected files have been recently removed from those website already.
The trojan has a mail relay that functions on the certain port (in the sample we got the port number is 39999).