This is a non-memory resident parasitic Win32 virus with IRC spreading abilities. The virus searches for EXE, SCR, CPL, and OCX Windows executable files, and writes itself to the end of the file. There is only one virus version known, which is a “debug” version, and it infects these files only in when their names begin with the “1” character (for example, “1.EXE”). The virus looks for files in current, Windows, and Windows system directories.
To spread via IRC channels, the virus creates an infected C:MUTT.EXE file and overwrites SCRIPT.INI and EVENTS.INI files (mIRC and PIRCH control files) with commands that send a virus copy (MUTT.EXE file) to anyone entering
The virus uses anti-debugging tricks, and halts the system if its code is under debugger.
On the 15th of any month, the virus, by modifying the system registry, makes A: and B: drives invisible in Explorer. Then it displays the following message box:
The virus deletes the following anti-virus data files:
The virus also contains a routine that terminates anti-virus scanners and resident monitors, but this routine never receives control. The list of anti-virus programs appears as follows: