When the worm executes, it copies itself as the following file:
It also creates the following file which serves as an infection marker:
It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run\"systray" = "C:\Windows\fbtre6.exe"
The worm deletes the following registry key:
It will then display the following message:
Error installing Codec. Please contact support.
It then searches for cookies related to social networking sites. If none are found, the worm deletes itself.
If the worm finds the appropriate security cookie, it modifies the settings so that links to malicious sites will be added to the user's profile to trick visitors into following them. These links will point to a copy of the worm disguised as a video codec.
The worm then connects to the following URL to notify the attacker of the installation and to check for new URLs and updates of the worm:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":