This Trojan is a Chrome browser extension that runs in the background when Chrome is running.
If "chrome://extensions/" or "chrome://extensions-frame" is opened, it redirects the browser to the following URL:
If Facebook is opened, it executes a script located at the following URL:
It then performs a GET request to the following URL:
When the extension runs for the first time, it opens Facebook and get.adobe.com/tr/flashplayer in separate browser windows. An alert box is then displayed with the following message in Turkish stating that Flash Player has been updated:
Adobe Flash Player G++ncellendi.
Next, it tries to connect to the following URLs to execute other malicious scripts:
- [http://]goo.gl/3359O?[RANDOM NUMBER]
- [http://]goo.gl/jFstw?[RANDOM NUMBER]
- [http://]goo.gl/n9j3j?[RANDOM NUMBER]
It then shares itself to the user's Facebook friends with an image attached from the following URL:
The Trojan may also contact the following URLs:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":