When the Trojan is executed, it copies itself to the following location:
The Trojan then creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Free" = "%UserProfile%\Application Data\froot\froot.exe -b"
Next, the Trojan connects to a remote location that is constructed from three components.
The first component is one of the following command-and-control (C&C) server domains:
The next component is one of the following URLs on the C&C server:
Finally, the Trojan uses one of the following parameters at the above address:
The Trojan then downloads commands from the remote location, which allow a remote attacker to perform the following actions on the compromised computer:
- Delete files
- Download and display a ransom message
- Download updates
- Submit a PIN
When the computer is locked with the ransom image, the Trojan ends the following processes:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":