It has been reported that the virus is spammed out as an email attachment with the following file name:
Once executed, the virus creates the following event so that only one instance of the threat runs on the compromised computer:
The virus then attempts to infect all accessed .exe or .scr files by appending itself to the executable. It avoids infecting files with the following strings:
It then opens a back door by joining the channel #virtu on the IRC server proxim.ircgalaxy.pl. The back door allows an attacker to download files onto the compromised computer and execute them.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":