An IRC bot that can launch DDoS attacks, steal passwords stored by FTP clients and data entered by the user into various web forms, and download applications from a remote server and run them.
It is equipped with anti-debugging features; that is, once launched, it scans the system for the presence of virtual machines and anti-viruses.
The malicious program runs a search for cmd.exe and kills the first found process. Then it replicates itself to %APPDATA%%rnd10%.exe, where %rnd10% indicates a random string consisting of 10 Latin characters. The bot modifies the system registry storing the executable path in the following branch:
The malware monitors the status of this registry branch and restores deleted values.
BackDoor.IRC.Codex.1 injects the malicious payload into all running processes and launches its own process. Then it checks whether the computer is infected by comparing the name of the folder from which it is launched with the %APPDATA% name. The bot tries to modify the registry 25 times (with a 10-second interval).