When the Trojan is executed, it may create the following folder:
It attempts to terminate all non-operating system services running on the compromised computer.
It then disables AutoRun.
Next, it deletes the contents of the Windows Startup folder.
It then deletes all entries in the following registry subkeys:
The Trojan then attempts to encrypt files found on the compromised computer.
After the files are encrypted, the Trojan displays a ransom message with the following headline:
Warning! Access to your computer is limited. Your files have been encrypted.
The user is then requested to pay $4000 US for the key to decrypt the files.
The Trojan may also open a back door allowing attackers remote access to the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":