Technical Information
To ensure autorun and distribution
Creates the following files on removable media
- <Drive name for removable media>:\caltpxbo.key
- <Drive name for removable media>:\roozenedowebinar.pptx
- <Drive name for removable media>:\waterresourcesag.pptx
- <Drive name for removable media>:\stoc13_ml_quoc_le.pptx
- <Drive name for removable media>:\adhd_and_obesity.docx
- <Drive name for removable media>:\thlps_keeper_mayer_1965.docx
- <Drive name for removable media>:\issi2013_template_for_posters.docx
- <Drive name for removable media>:\nwfieldnotes1966.docx
- <Drive name for removable media>:\aoc_saq_d_v3_merchant.docx
- <Drive name for removable media>:\uep_form_786_bulletin_1726i602.doc
- <Drive name for removable media>:\fi51.doc
- <Drive name for removable media>:\samieee_obiee_presentation.pptx
- <Drive name for removable media>:\weeklysheet1215.doc
- <Drive name for removable media>:\hanni_umami_chapter.doc
- <Drive name for removable media>:\ovp25012015.doc
- <Drive name for removable media>:\default.bmp
- <Drive name for removable media>:\tileimage.bmp
- <Drive name for removable media>:\how_to_decrypt.txt
- <Drive name for removable media>:\dashborder_96.bmp
- <Drive name for removable media>:\dashborder_192.bmp
- <Drive name for removable media>:\delete.avi
- <Drive name for removable media>:\correct.avi
- <Drive name for removable media>:\bczrsn3a.key
- <Drive name for removable media>:\february_catalogue__2015.doc
- <Drive name for removable media>:\hypothyroidism_slides.pptx
Malicious functions
To complicate detection of its presence in the operating system,
deletes volume shadow copies.
Terminates or attempts to terminate
the following user processes:
- firefox.exe
Modifies file system
Creates the following files
- %TEMP%\abc.1111263934.exe
- nul
- C:\caltpxbo.key
- D:\caltpxbo.key
- C:\bczrsn3a.key
- D:\bczrsn3a.key
- C:\how_to_decrypt.txt
- D:\how_to_decrypt.txt
Deletes the following files
- %TEMP%\abc.1111263934.exe
Moves the following files
- from %APPDATA%\winamp\demo.mp3 to %APPDATA%\winamp\demo.mp3.bczrsn3a_0reresrq97e
- from %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\quotamanager to %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\quotamanager.caltpxbo_2pqamrb29vb
- from %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\gpucache\data_0 to %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\gpucache\data_0.bczrsn3a_-dg4ocpbwch
- from %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\gpucache\data_1 to %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\gpucache\data_1.bczrsn3a_0jcqkjlzwvl
- from %APPDATA%\opera software\opera stable\local storage\https_www.yandex.ru_0.localstorage to %APPDATA%\opera software\opera stable\local storage\https_www.yandex.ru_0.localstorage.bczrsn3a_1hywfjv7-_v
- from %APPDATA%\opera software\opera stable\local storage\https_www.yandex.ru_0.localstorage-journal to %APPDATA%\opera software\opera stable\local storage\https_www.yandex.ru_0.localstorage-journal.bczrsn3a_5ycnjwgbgyg
- from %APPDATA%\opera software\opera stable\jump list iconsold\3651.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\3651.tmp.bczrsn3a_5suljrjsulj
- from %APPDATA%\opera software\opera stable\jump list iconsold\36a1.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\36a1.tmp.caltpxbo_7i4rkzqufbq
- from %APPDATA%\opera software\opera stable\jump list iconsold\36c3.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\36c3.tmp.caltpxbo_6cgokahiseh
- from %APPDATA%\opera software\opera stable\jump list iconsold\3703.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\3703.tmp.bczrsn3a_7s0tlrlzwwz
- from %APPDATA%\opera software\opera stable\jump list iconsold\3724.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\3724.tmp.caltpxbo_2dnzwxawlpa
- from %APPDATA%\opera software\opera stable\jump list iconsold\3765.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\3765.tmp.caltpxbo_97e3t4aaaaa
- from %APPDATA%\opera software\opera stable\jump list iconsold\3796.tmp to %APPDATA%\opera software\opera stable\jump list iconsold\3796.tmp.bczrsn3a_zo6ojqskpks
- from %APPDATA%\opera software\opera stable\jump list icons\50ed.tmp to %APPDATA%\opera software\opera stable\jump list icons\50ed.tmp.bczrsn3a_3h4ehg4odg4
- from %APPDATA%\opera software\opera stable\jump list icons\514d.tmp to %APPDATA%\opera software\opera stable\jump list icons\514d.tmp.bczrsn3a_2jiymkkpksk
- from %APPDATA%\opera software\opera stable\jump list icons\516e.tmp to %APPDATA%\opera software\opera stable\jump list icons\516e.tmp.bczrsn3a_6cgokcioqki
- from %APPDATA%\opera software\opera stable\jump list icons\51ce.tmp to %APPDATA%\opera software\opera stable\jump list icons\51ce.tmp.bczrsn3a_wicagiaaaaa
- from %APPDATA%\opera software\opera stable\jump list icons\51ff.tmp to %APPDATA%\opera software\opera stable\jump list icons\51ff.tmp.caltpxbo_4cagiciiiii
- from %APPDATA%\opera software\opera stable\jump list icons\524f.tmp to %APPDATA%\opera software\opera stable\jump list icons\524f.tmp.caltpxbo_-tk5otdw8n9
- from %APPDATA%\opera software\opera stable\jump list icons\529f.tmp to %APPDATA%\opera software\opera stable\jump list icons\529f.tmp.bczrsn3a_3z2dnz5exl5
- from %APPDATA%\mra\update\languages.aff to %APPDATA%\mra\update\languages.aff.bczrsn3a_xywfhaagica
- from %APPDATA%\mra\update\languages.dict to %APPDATA%\mra\update\languages.dict.bczrsn3a_6cgopojcqkj
- from %APPDATA%\mra\update\languages.hash to %APPDATA%\mra\update\languages.hash.caltpxbo_8tekpls7ozs
- from %APPDATA%\mra\base\mra.dbs to %APPDATA%\mra\base\mra.dbs.caltpxbo_5ycnjyuljsu
- from %APPDATA%\mra\base\opt.dbs to %APPDATA%\mra\base\opt.dbs.bczrsn3a_87ozs76-vr6
- from %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\content-prefs.sqlite to %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\content-prefs.sqlite.bczrsn3a_ygokchdxv1d
- from %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\cookies to %APPDATA%\opera software\opera stable\storage\ext\sync-login\def\cookies.bczrsn3a_6ysrkwslcws
- from %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\cookies.sqlite to %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\cookies.sqlite.caltpxbo_0zgrkzhywfh
- from %APPDATA%\opera software\opera stable\web data-journal to %APPDATA%\opera software\opera stable\web data-journal.bczrsn3a_8jiygi2njy2
- from %APPDATA%\opera software\opera stable\visited links to %APPDATA%\opera software\opera stable\visited links.caltpxbo_1f8_pyenp6e
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\blist.sqlite to %APPDATA%\thunderbird\profiles\wjj9aet2.default\blist.sqlite.bczrsn3a_0baqeatexmt
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\cookies.sqlite to %APPDATA%\thunderbird\profiles\wjj9aet2.default\cookies.sqlite.caltpxbo_0tls0vmzmzm
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\global-messages-db.sqlite to %APPDATA%\thunderbird\profiles\wjj9aet2.default\global-messages-db.sqlite.caltpxbo__7-_v7t7und
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\permissions.sqlite to %APPDATA%\thunderbird\profiles\wjj9aet2.default\permissions.sqlite.bczrsn3a_yagicclpawl
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\places.sqlite to %APPDATA%\thunderbird\profiles\wjj9aet2.default\places.sqlite.bczrsn3a_4qkioomdawm
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\prefs.js to %APPDATA%\thunderbird\profiles\wjj9aet2.default\prefs.js.bczrsn3a_9ra2tohbwch
- from %APPDATA%\thunderbird\profiles\wjj9aet2.default\webappsstore.sqlite to %APPDATA%\thunderbird\profiles\wjj9aet2.default\webappsstore.sqlite.bczrsn3a_xgygbjy8vly
- from %APPDATA%\telegram desktop\log.txt to %APPDATA%\telegram desktop\log.txt.caltpxbo-9ra2triymji
- from %APPDATA%\telegram desktop\tdata\90ef50e22e92cb8c0 to %APPDATA%\telegram desktop\tdata\90ef50e22e92cb8c0.caltpxbo_5awlpzwvlzw
- from %APPDATA%\opera software\opera stable\bookmarks to %APPDATA%\opera software\opera stable\bookmarks.bczrsn3a_1zwvlbkysrk
- from %APPDATA%\opera software\opera stable\bookmarks.bak to %APPDATA%\opera software\opera stable\bookmarks.bak.bczrsn3a_ygoqklj4-pj
- from %APPDATA%\opera software\opera stable\bookmarksextras to %APPDATA%\opera software\opera stable\bookmarksextras.bczrsn3a_5ikjcsvr6-v
- from %APPDATA%\opera software\opera stable\browser.js to %APPDATA%\opera software\opera stable\browser.js.bczrsn3a_3r0dhrntu1n
- from %APPDATA%\opera software\opera stable\cookies to %APPDATA%\opera software\opera stable\cookies.caltpxbo_0rererkskqw
- from %APPDATA%\opera software\opera stable\cookies-journal to %APPDATA%\opera software\opera stable\cookies-journal.caltpxbo_6kioql29vb2
- from %APPDATA%\opera software\opera stable\favicons to %APPDATA%\opera software\opera stable\favicons.caltpxbo_3jycnjpt09p
- from %APPDATA%\opera software\opera stable\favicons-journal to %APPDATA%\opera software\opera stable\favicons-journal.bczrsn3a__7-_v5cqkjc
- from %APPDATA%\opera software\opera stable\history to %APPDATA%\opera software\opera stable\history.caltpxbo_2rkzgqmdawm
- from %APPDATA%\opera software\opera stable\history-journal to %APPDATA%\opera software\opera stable\history-journal.bczrsn3a_-zs7owbaqeb
- from %APPDATA%\opera software\opera stable\login data to %APPDATA%\opera software\opera stable\login data.bczrsn3a_zg4odidg4od
- from %APPDATA%\opera software\opera stable\origin bound certs to %APPDATA%\opera software\opera stable\origin bound certs.caltpxbo_2bgdg6zs7oz
- from %APPDATA%\opera software\opera stable\preferences to %APPDATA%\opera software\opera stable\preferences.bczrsn3a__r6-vpdq0nd
- from %APPDATA%\opera software\opera stable\quotamanager to %APPDATA%\opera software\opera stable\quotamanager.bczrsn3a_-jo6ojdw8pd
- from %APPDATA%\opera software\opera stable\session.db-journal to %APPDATA%\opera software\opera stable\session.db-journal.bczrsn3a_xgysrj1dxv1
- from %APPDATA%\opera software\opera stable\session.dbak to %APPDATA%\opera software\opera stable\session.dbak.bczrsn3a__7-_v5cqkjc
- from %APPDATA%\opera software\opera stable\web data to %APPDATA%\opera software\opera stable\web data.bczrsn3a_35-fn4uli4u
- from %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\cookies.sqlite-shm to %APPDATA%\mozilla\firefox\profiles\gn7ryp3k.default\cookies.sqlite-shm.bczrsn3a_zo6ojqskpks
Modifies the following files
- <Drive name for removable media>:\dashborder_192.bmp.caltpxbo_-jo6oja2tra
- <Drive name for removable media>:\correct.avi.bczrsn3a_8dawmaokcgo
- <Drive name for removable media>:\delete.avi.caltpxbo_2zmzmzubm5u
- <Drive name for removable media>:\dashborder_96.bmp.caltpxbo_4seuli9pt09
- <Drive name for removable media>:\tileimage.bmp.bczrsn3a_46ojo5zwvlz
- <Drive name for removable media>:\default.bmp.bczrsn3a_4kcgtrzwvlz
- <Drive name for removable media>:\hanni_umami_chapter.doc.caltpxbo-zawmdaufbqu
- <Drive name for removable media>:\issi2013_template_for_posters.docx.caltpxbo--dg4oc6urps
Substitutes the following files
- <Drive name for removable media>:\february_catalogue__2015.doc
- <Drive name for removable media>:\aoc_saq_d_v3_merchant.docx
Changes user data files extensions (Trojan.Encoder).
