When executed, the virus creates the following files:
And the following registry keys:
It ads itself to startup by creating the value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start and by registering itself as a BHO object.
The adware keeps all information it needs to show popup in registry. It creates the following values under the key HKCU\Software\Microsoft\AdvRemoteDbg:
The adware works by opening a internet explorer window in background and by showing popups at some time interval. It first connects to the server http://superi[hidden]/bc/ip.php using the agent “opera” and tries to read the data from the server. It gets from the server the ip address of the server where the popups are located and saves it to the value last_ip. At some time intervals the data from registry is sent to the url http://superi[hidden]/bc/123kah.php using the agent M0zilla/4.0(compatible) where install_id is a hash made on the VolumeSerialNumber, WProcessorRevision and WProcessorLevel.
At some time intervals the adware checks for the existence of an update and if an update is available , the virus downloads it from the server and executes it.