This Trojan carries out its actions through a client-server connection. To establish this connection, the client sends service requests to the server through a communications port. Once the connection is established, the client sends requests to the server. Then, the server will be in charge of carrying out all the service requests coming from the client.
Attacking users must have the client installed on their systems. The client is a graphics interface that allows malicious users to carry out a large number of actions on the affected system. To do this, users will have to enter the Nickname (access identifier), which is needed to establish a connection with the affected system, as can be seen in the image shown below.
Once the nickname has been entered, the interface of the client is displayed, which allows users to carry out a number of actions on the affected system. The client looks as follows:
It is interesting to note that the client looks very much like the Windows desktop. This window enables users to access different menus, as well as to access other versions of the Trojan.
The Trojan contains an IP analyzer, which enables malicious users to find victim systems where the server is installed. It automatically attempts to find IP addresses of the affected systems:
Admin section: It allows hackers to perform a number of actions on the system: it restarts Windows, captures screenshots, opens a chat session with the infected system, interrupts the Internet connection, performs keylogging actions, opens an FTP connection, obtains confidential user information, creates its own script code (VBS - Visual Basic Script), which will be stored in the hard disk root directory with a name previously specified and it adds ICQ notifying messages. However, the most dangerous and destroying function is its ability to format the hard disk of the computer under attack.
Fun Shit section: These actions are not dangerous but they can get to be very annoying. Some of them include disabling the mouse double click feature, reversing the mouse buttons, displaying error messages on the screen, opening and closing the CD-ROM tray, hiding the task bar, changing the colors of the title bars,...etc.
Misc Shit section: This section allows users to open the Internet browser at a pre-established URL, view the history of the last websites visited on the affected system, change the name assigned to the computer and run programs in the background.
Windows Shit section: This section allows users to disable the Find and Run options in the Windows Start menu, move the mouse pointer about the screen, delete, displays and modify the Clipboard of the client...etc.
Message Manager section: This section is in charge of managing all the actions related to the message boxes displayed by the Trojan.
File Manager section: It allows users to carry out a number of actions with the files on the affected system.
User Info section: It allows hackers to obtain confidential user information and to store this information in a file.
Besides all of these actions, it contains an About option, which users can use to carry out a great number of actions on the affected system. This options looks as follows: