When the Trojan is executed, it copies itself to the following location:
Next, the Trojan sets the Read-only, Hidden, System, and Directory attributes for the following files:
The Trojan then deletes the following registry subkeys in order to disable Safe Mode Boot:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\SafeMode
The Trojan ends the following processes, making it difficult to stop the threat from running:
The Trojan then displays the following message:
[RUSSIAN TEXT] Microsoft Corp. : [REMOVED] #1090;[RUSSIAN TEXT]
Translated from Russian:
Headquartered Microsoft Corp. : Russia, 121745, Moscow, Kirilovca house 17 +4 495-338-85-85 Microsoft [REMOVED] on your computer is not licensed version of Windows, further work on your computer is not possible.
The Trojan then asks the user to purchase a license to restore access to the computer.
The key to disable the threat is 13616. This key is hard-coded into the Trojan.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":