When executed, the Trojan copies itself as the following file:
It then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"15886941" = "%UserProfile%\15886941\15886941.exe"
Next, the Trojan ends all programs running on the compromised computer and disables the mouse and keyboard.
It then displays an image that contains Russian text and an adult image on the desktop.
The Russian text translates into English as the following message:
You surfed gay porn videos for three hours.
The free viewing time has expired.
To pay for the service, you need to make an online payment through the Beeline system to 9646280479 for the amount of $400 USD.
Upon receipt of the payment you will be given an activation code.
Enter it in the box below and press Enter.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":