When the Trojan is executed, it creates the following files:
- %SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].exe
- %System%\[RANDOM CHARACTERS].exe
It then overwrites the following files with a copy of itself:
Next, it creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Winlogon\"Shell" = "%SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM CHARACTERS].exe"
It also modifies the following registry entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
It then ends the following process:
It also disables the Alt+Tab and Alt+F4 keys as well as background windows.
Next, the Trojan displays an image in Russian demanding payment from the user for a password to return system functionality. However, no password will unlock the computer even if the user pays the ransom.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":