This trojan uses a tricky way of installing itself to system. It uses 5 different ways at the same time to make disinfection more difficult:
1. Through Registry by modifying RUN key to launch C:\COMMAND.EXE
hidden file which is a trojan's body
2. Through SYSTEM.INI by adding a screensaver reference routine
to C:\Windows\System\WINSAVER.EXE - the system will become
infected when screen saver starts.
3. Through WIN.INI - by adding to execution of C:\America Online
4.0\BUDDYLIST.EXE hidden file to LOAD= string with more than
80 spaces in front of line to hide it
4. Again through WIN.INI - by adding to execution of
file to RUN= string
5. Through Windows startup directory - by placing AIM
REMINDER.EXE file in \Windows\Start Menu\Programs\Startup\
Also a DLL is created in Windows\System folder with the name VCLCNTL.DLL but it contains some text data for the trojan, not DLL code. When Windows is started the trojan is also started (one of steps 1-5) and remains active during all Windows session. It sends user's AOL login and password as email to firstname.lastname@example.org, email@example.com or firstname.lastname@example.org addresses (depending on trojan version).