The virus infects files stored in the folders:
If the file does not satisfy certain conditions, e.g. it is protected with SFC, is will not be infected.
It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm.
The virus can download additional encrypted modules from the control server, which are then executed in the infected system.
Several variants of this virus are known to exist. This description was written for a version current in August 2011.