Once executed, the Trojan creates the following file:
[PATH TO THE TROJAN]\keylog.dll
The Trojan creates the following registry subkeys:
The Trojan pretends to be a legitimate Microsoft activation program and tricks the user into entering their credit card details to activate Windows.
The Trojan shuts down the compromised computer if the user does not enter their credit card numbers.
The Trojan prevents the user from running or switching to another application or task manager.
The Trojan sends the stolen information to the following URL:
The Trojan displays the following images:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":