When the Trojan is executed, it creates the following mutex to ensure that only one copy of the Trojan is running on the compromised computer:
The Trojan then copies itself to the following location:
%UserProfile%\Application Data\[FIVE RANDOM CHARACTERS OR NUMBERS].exe
The Trojan then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"EpsonPLJDriver" = "%UserProfile%\Application Data\[FIVE RANDOM CHARACTERS OR NUMBERS].exe"
The Trojan then deletes all registry entries under the following registry subkeys:
After this, the Trojan generates an encryption key, which is a string made up of 15 random characters or numbers. This key is needed to decrypt encrypted files.
Next, the Trojan will send the encryption key to the following command-and-control (C&C) server:
If the Trojan successfully connects to the C&C server, the server will return two strings. The Trojan then saves the two strings in the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"email" = "[VALUE RECEIVED FROM C&C SERVER]"
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"id" = "[VALUE RECEIVED FROM C&C SERVER]"
The Trojan then creates the following file and writes the string "Completed" in the file:
This file is then encrypted to the following location:
Next, the Trojan searches for files with the following file extensions on the compromised computer in order to encrypt them:
Once the Trojan encrypts a file, the encrypted file is saved as the following file name:
[ORIGINAL FILE NAME].oshit.
The Trojan then deletes the original file. The Trojan also creates the following file in the folder of the original file:
After this, the Trojan displays a pop-up message that tells the user that their files are encrypted. The message asks the user to input a password in order to decrypt them.
The Trojan will also kill the following processes:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":