When the file is executed, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.
When files are encrypted they will append with the .locked extension to the filename. That means if a file is called test.jpg it will be encrypted and renamed as test.jpg.locked. The file types targeted by this infection are:
.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv
If you wish to disable the windows script host, which is enabled by default in Windows,you can add the following DWORD Registry entry to your computer and set the value to 0.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled