When the Trojan is executed, it copies itself to the following location:
The Trojan also creates the following files:
It may then delete the following file:
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"TSErrRedir" = "%UserProfile%\Application Data\Microsoft\Windows\53\TSErrRedir.exe"
Next, the Trojan locks the computer and displays a fraudulent message on the screen informing the user that they are in breach of copyright law and requests a money transfer using a Ukash account.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":