Furthermore it infects executable files on a user's computer. The program is a library of Windows (PE DLL-file). The size of the original malware - 20480 bytes. It is not packed. Written in Visual C + +.
Once launched, the virus creates in the Windows system directory following libraries:
To determine its presence in the system virus creates a unique identifier:
Once launched, the virus writes its code in the address space system process "explorer.exe". After that infected the process of looking for all files ending in. Exe and appends to the end of found files virus code.
Prospecting shall not be in folders with the following names:
Local Settings \ Temp
Also, do not become infected with the following files:
The worm also has the ability to download other malicious programs to a user's computer to steal passwords for online games. For this sends a request specifying parameters of the infected system (at the time of writing, these links were not working):