When the Trojan is executed, it creates the following file:
%UserProfile%\Application Data\Windows Authentication\Windows Authentication.exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Authentication" = "%UserProfile%\Application Data\Windows Authentication\Windows Authentication.exe"
Next, the Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
Next, the Trojan ends the following processes, making it difficult to stop the threat from running:
The Trojan locks the screen and displays an image entitled "Genuine Microsoft Software", which is an attempt to trick the user into paying for a fake Windows upgrade. If the user pays for the upgrade more malware is downloaded onto the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":