This Trojan must be manually downloaded and installed.
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%WORKINGDIRECTORY%\%SAMPLENAME%"
The Trojan will then lock the desktop and display the following image:
The Trojan connects to the following URL to display this image:
Note: The image says the computer has been locked for security reasons. It offers a Windows security check that claims will clean the machine after paying 100 euros.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":