When the Trojan is executed, it copies itself to the following location:
%CurrentFolder%\[THREAT FILE NAME].exe
Next, it creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"GoogleChrome" = "%CurrentFolder%\[THREAT FILE NAME].exe"
Next, the Trojan locks the computer and displays a fraudulent message on the screen informing the user that they are in breach of copyright law and requests a money transfer of $200 to a MoneyPak account.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":