When the Trojan is executed, it copies itself to the following locations:
- %UserProfile%\Local Settings\Application Data\[THREAT FILE NAME].exe
- %UserProfile%\Application Data\[THREAT FILE NAME].exe
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\"AutoRun" =
"%UserProfile%\Application Data\[THREAT FILE NAME].exe"
It also modifies the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, %SystemDrive%\Documents and Settings\All Users\Application Data\[THREAT FILE NAME].exe"
The Trojan then locks the compromised computer, preventing the user from accessing their files. Once the computer has been locked, the threat displays a notice page requesting money to be paid in order for the computer to be unlocked.
It also connects to the following remote location:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":