The malware is packed with the PEtite packer. It uses a mutex named "[SkyNet.cz]SystemMutex" to ensure that a single instance of it is running. If copies itself in the Windows directory (usually c:\\windows) with the name winlogon.exe and creates a string value with the name "ICQ Net" in the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the contents "%Windows%\\winlogon.exe -stealth", where %Windows% is the windows directory. This ensures that it is run when starting Windows.
The malware searches through all the available drives (A trough Z) which are not of CD-ROM type (this includes floppy drives, USB drives and network shares mapped with drive letters) for files with the following extensions:
for e-mail addresses. Addresses which contain any of the following strings as part of them are not collected (presumably to thwart the detection and investigation of this malware):
When an Internet connection is detected, it tries to send itself to the collected e-mail addresses. For this purpose it uses its built-in SMPT engine and the system default DNS to get the MX records for the target domains. If it fails to obtain the MX records with the system default DNS server, it will try the following alternate DNS servers:
The sent e-mail will have in the subject field one of the following strings:
And it will contain an attachment (consisting of a copy of the virus) with one of the following possible names:
It tries to delete the following registry keys related to other malware in an attempt to prevent them from running: