Once executed, the Trojan creates the following mutex so that only one instance of the threat executes on the computer:
Next, the Trojan encrypts files on the compromised computer and appends the following to each encrypted file's name:
The Trojan drops the following file in each location where it encrypts files:
- [PATH TO ENCRYPTED FILES]_DECODE_FILES.txt
The Trojan then asks for payment to have the files decrypted.
The Trojan connects to the following remote location through the Tor network:
The Trojan steals credentials from the following programs:
- Internet Explorer
The Trojan also steals stored certificates.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":