Instead of adding itself to the Startup list - a move that is obvious both to AV solutions and savvy users - it takes a library file (comres.dll) commonly used by a number of popular browsers, communication apps and networking tools, copies it and changes it so that every time it is called the malware springs to life and, finally, saves it in the Windows directory folder.
Why there? Well, the malware takes advantage of the fact that some apps have specified only the name of the dll file they need to function, instead of a full path to that dll. So, every time they need that particular file, they use the one modified by the malware as it's more accessible.
"The dropper patches the copy by adding a single new malicious function to the original code library to be imported and launched with the rest of its functions.Next, the Trojan drops the file 'prfn0305.dat' (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system," explain the researchers. "And everything is now in place. The moment the system calls the code library, the malware is turned on."
The backdoor effectively allows cybercriminals to add or delete users, change passwords, add or remove user privileges, and run executable files with elevated privileges.