When the Trojan is executed, it drops the following files:
- %ProgramFiles%\Adobe Systems,inc\Foto file\INF.exe
It then creates the following registry entry to alter behavior when certain files are accessed or executed:
HKEY_CLASSES_ROOT\korrektorfile\shell\open\command\"(Default)" = "%ProgramFiles%\Adobe Systems,inc\Foto file\INF.exe \"%1\""
Next, the Trojan creates the following registry entries:
- HKEY_CLASSES_ROOT\.korrektor\"(Default)" = "korrektorfile"
- HKEY_CLASSES_ROOT\korrektorfile\DefaultIcon\"(Default)" = "%ProgramFiles%\Adobe Systems,inc\Foto file\INF.exe,0"
- HKEY_LOCAL_MACHINE\SOFTWARE\"syshelper" = "1"
The Trojan modifies the following registry entry to change the wallpaper:
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%SystemDrive%\look.jpg"
The displayed wallpaper is the following image, which is a message in Russian with instructions on how to restore access to the compromised computer:
The Trojan renames files with the exensions .txt, .htm, .chm, and .jpg as the following file:
[ORIGINAL FILE NAME].[EXTENSION].korrektor
When the renamed files are opened, the following file is run instead:
%ProgramFiles%\Adobe Systems,inc\Foto file\INF.exe
The Trojan opens an Internet browser window and connects to the following URL:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":