When the Trojan is executed, it copies itself to the following location:
It also creates the following shortcut for the above file:
%UserProfile%\Start Menu\Programs\Startup\Quick Office.lnk
Next, the Trojan modifies the following registry entry in order to disable the Windows Task Mangager:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
The Trojan then hooks the keyboard to prevent anything except numbers from being typed.
It then displays a message in Russian requesting a number to be entered in order to restore access to the computer.
The Trojan attempts to prevent any other interaction with the computer until the correct number is entered.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":