Once executed, the virus creates the mutex named "VT_3" so that only one instance of the threat runs on the compromised computer.
It then attempts to infect all accessed .exe or .scr files by appending itself to the executable.
The virus avoids infecting files with the following file name string:
It opens a back door by joining the channel #virtu on the IRC server proxim.ircgalaxy.pl through TCP port 65520 allowing a remote attacker to download and execute files onto the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":