When the worm is executed, it creates the following files on all connected removable drives:
- [DRIVE LETTER]:\Setup.EXE
- [DRIVE LETTER]:\autorun.INF
The worm creates the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"MyDate" = "[DATE]"
[DATE] is a variable formatted "DD-Month-YY" such as "08-Apr-13". This date is 20 days ahead of the initial compromise.
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MSN Messenger" = "%System%\SVCHOST32.EXE"
The worm then, after 20 days, encrypts all files whose extension is not ".sys" on all drives, except for files located on C: drive.
The encryption is RC4. If the encryption occurs twice on a file, then the file turns into the original file.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":