Increased size of some executable files with appreciatively 8K.
Increased system activity (increased net traffic and processor usage)
Please let BitDefender disinfect your files.
Suiu Andre, virus researcher
Cimpoesu Mihai, virus researcher
The virus is written in assembly language.
It infects *.exe and *.scr files when files are opened (the usage of tools that show file icons is very harmful in this situation). When infecting the virus appends itself at the end of the file as a crypted body. It does not infect dll files or file whose name start with (“winc”,”wcun”,”wc32”,”psto”). It hides its process by injecting viral code in other processes in the system.
The virus is continuously trying to connect to a IRC (proxima.irc[removed]) server on port 65520 and receives commands to download a file. It can interpret 2 different commands:
- a "check if connected" command
- a PRIV command witch can contain a link to a possible virus.
The default file witch is being downloaded from the IRC server is VT100.exe (witch moves itself in %windir%/system32 directory and acts as a backdoor program).