Spreads through file-sharing networks and by e-mail.
1. Adds to Windows startup.
"Syskey" = "%System%\sysinit.exe"
2.Creates the following files:
3. Kills antiviruses.
4.Opens a backdoor on TCP port 2002.
5.Sends an HTTP GET request via TCP port 80 to the domain, webnomey.net, where it attempts to contact a .php script.
6.Attempts to download a file from the domain sash.cc and save it as 1.exe. This file is then executed.
Remove it from startup using antivirus (also check How To Remove section)Startup Optimizer.