The worm appears as a Windows folder icon and spreads through removable media and network shares.
When the worm is executed, it creates the following files:
- [DRIVE LETTER]\Photo.exe
- [DRIVE LETTER]\Photo\Photo.exe
- [REMOVABLE DRIVE]\Photo.exe
- [MAPPED NETWORK DRIVE]\Photo.exe
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Photo" = "[DRIVE LETTER]\Photo\Photo.exe"
The worm downloads and executes potentially malicious files from the following remote location:
The worm may also report infection status to the remote location.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":