The malware comes as a self extract rar file masked as a screen saver with the name Cristina.scr having a size of 816 160 bytes. Executing this file will extract 15 files with the total size of 2 000 187 bytes in the “C:\WINDOWS\system\” directory (in case you don't have windows installed in the default directory, this will be created). It will add the program “C:\WINDOWS\system\svchost.exe” in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key with the name “GNP Generic Host Process” which was extracted from the archive. This is a customized version of the mIRC program, which will connect to a predefined IRC channel with a nick randomly chosen from a list of 313 predefined names and hide its main window.
The modified mIRC executable (svchost.exe) is infected with the Win32.Parite.B which will be activated when the executable is launched. This will try to infect other executables which may lead to random programs crashing.
The infected computers connect to the Undernet
IRC network, join a channel
and execute commands from some users.
These commands can be used to execute any program the controller wishes and perform other IRC related operations (joining channels, changing nicks, etc.)