When the Trojan is executed, it creates the following file:
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = " %System%\fpfstb.dll"
It also creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard\advanced\"core_installed" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard\advanced\"id" = "[32 RANDOM CHARACTERS]"
It then modifies the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\"Start" = "4"
The Trojan then accesses the following URL to notify a remote attacker of the infection:
[http://]filefixpro.com/public/stat[REMOVED]?cmd=installs&uid=[HEXADECIMAL CHARACTERS]&id="[20 RANDOM CHARACTERS]"
Next, the Trojan searches through the My Documents folder for files that have the following file extensions:
The Trojan then encrypts all of the files that it finds.
Next, it accesses the following URL to upload the number of files that have been encrypted:
[http://]filefixpro.com/public/stat[REMOVED]?cmd=files&uid=[HEXADECIMAL CHARACTERS]&ext=[FILE EXTENSION].[NUMBER OF ENCRYPTED FILES]
The Trojan then displays the following message:Title:
Windows has detected that the following files seems to be corrupted. To prevent future data corruption, click Repair button below.
The Trojan also displays the following message whenever an encrypted file is opened:Title:
Application can't open the file due to data corruption
Error 0x[RANDOM CHARACTERS]: Invalid header sequence.
Corrupted block: [RANDOM CHARACTERS]
The Trojan then opens the following URL in the default Internet browser:
It then downloads a program from the following URL:
The Trojan also displays the following messages on the system tray:Title:
Windows File ProtectionMessage:
Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application.Title:
FileFix Professional 2009Message:
Please, register your copy of FileFix Professional 2009 to repair all corrupted files. Click here to open Buy now page.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":