When the Trojan is executed, it copies itself to the following location:
%UserProfile%\Application Data\KB[EIGHT RANDOM DIGITS].exe
Next, the Trojan creates the following registry entry so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"KB[EIGHT RANDOM DIGITS].exe" = "%UserProfile%\Application Data\KB[EIGHT RANDOM DIGITS].exe"
Next, the Trojan locks the computer and displays a fraudulent message on the screen informing the user that they are in breach of copyright law and requests a money transfer using a Ukash account.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":