The botnet stretches across the world, but mostly the botnet works out of India. Other greatly affected countries include Italy, Greece, USA, Pakistan, Malaysia, Algeria and Brazil.

The botnet runs a guy in the middle strike. It installs fake certifications into believing they’re having a secure connection with the search engines on the system, that trick the browsers. The infection vector for the malware are altered setup files for applications that were popular. Included in these are Connectify, YouTube Downloader, WinRar and Stardock.

The altered installers schedule jobs on the computer. These are called “Adobe Flash Update” and “Adobe Flash Scheduler”, and start up every time. These scheduled jobs in turn run scripts that change the web settings of the user. Traffic is then rerouted by the machine through remote proxy server or a local.