When the Trojan is executed, it creates the following folder:
%UserProfile%/Application Data/Local Settings/Application Data/KB9162892
It then creates the following file:
%UserProfile%/Application Data/Local Settings/Application Data/KB9162892/KB9162892.exe
Next, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"KB9162892" = "%UserProfile%/Application Data/Local Settings/Application Data/KB9162892/KB9162892.exe"
The Trojan may connect to the following remote locations:
The Trojan may lock the desktop, making the computer unusable, and ask the user to pay to unlock it.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":