The virus itself is spread through spam emails that claim to be invoices. The attached files in the emails are .ZIP files that contain .HTA files which pretend to be other files via double extension. When one of these .HTA files are executed, the virus starts its payload. When the payload begins, it extracts a file named close.js to the %Temp% folder and executes it, which extracts another executable named in gibberish. This executable will begin encrypting files on the computer. At the same time, the virus will attempt to open a .DOCX file, which reports an error. Encrypted files do not get an extra file extension, thus keeping their names intact. To prevent booting from failing, Spora will not encrypt files in folders that have the names "games," "program files," "program files (x86)," a