When first run, the virus copies itself to %SYSDIR%\wgavm.exe and creates the file %WINDIR%\dcpromo.log.
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
Disables the Windows Firewall by setting the value:
"Start"=4
of the key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
Creates a service with the following characteristics:
"Service Name"="wgavm"
"Display Name"="Windows Genuine Advantage Validation Monitor"
"Description"="Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability."
"Path to executable"=%SYSDIR%\wgavm.exe
to make sure it is run at startup.
It connects to IRC-servers and waits for remote commands from there.
| 