Increased size of some executable files with appreciatively 8K.
Increased system activity (increased net traffic and processor usage)
The virus is written in assembly language.
It infects *.exe and *.scr files when files are opened (the usage of tools that show file icons is very harmful in this situation). When infecting the virus appends itself at the end of the file as a crypted body. It does not infect dll files or file whose name start with (“winc”,”wcun”,”wc32”,”psto”). It hides its process by injecting viral code in other processes in the system.
The virus is continuously trying to connect to a IRC (proxima.irc[removed]) server on port 65520 and receives commands to download a file. It can interpret 2 different commands:
The default file witch is being downloaded from the IRC server is VT100.exe (witch moves itself in %windir%/system32 directory and acts as a backdoor program).