Once executed, the virus injects the winlogon process with a thread that patches the system call table, and hooks the following API calls:
This lets the virus monitor when a file is opened and processes are run, enabling it to infect executables when they are run.
The virus then checks if it is running on vmware and exits if it is.
Next, it creates the following event so that only one instance of the threat runs on the compromised computer:
The virus then attempts to infect all accessed .exe or .scr files by appending itself to the executable file.
It avoids infecting files with the following strings:
It then opens a back door by connecting to the IRC server ircd.zief.pl on TCP port 80, and joining the channel virtu. The back door allows an attacker to download files onto the compromised computer and execute them.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":