The trojan's main component is a DLL that is dropped to:
This DLL is injected into almost all running processes. It is not injected into some executables, including:
- smss.exe
- csrss.exe
- winlogon.exe
It adds a launchpoint in the registry as below:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs = "%system%\fpfstb.dll"
It creates these registries probably as infection markers:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard is_installed = [random string]
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\keyboard id = [random string]
Activity
Once installed, the DLL encrypts files with the following extensions to disable them :
- ppsm
- ppsx
- ppam
- potm
- potx
- pptm
- pptx
- xlam
- xlsb
- xltm
- xltx
- xlsm
- xlsx
- dotm
- dotx
- docm
- docx
- pst
- mdb
- wma
- mp3
- png
- jpeg
- jpg
- pdf
- ppt
- xls
- doc
Any newly created files on the system that use one of the extensions listed above are also encrypted.When user tries to open the encrypted files a screen like below is shown:
It also shows a popup like below at the bottom right corner on the system tray :
The only way for users to fix the so-called corrupted files is to purchase the FileFixPro program. If the "repair file" option is selected, user will be directed to this site:
- https://www.filefixpro.com/[...]/download.php
The downloaded program is a scanner that will show a screen like below: