It uses the in-memory infection of Explorer.exe which runs on Windows NT/2000 and 9x and deletes checksum files of antivirus software.
This virus inserts PE file and replicates on major Win32 platforms (Windows 95/98 and Windows NT/2000). It is also called as Win32.CTX_ll since they have the same polymorphic engine. It uses multi-layer polymorphism and inserting file infection strategy.
The body of the virus is 10853 bytes long causing it to decrypt slowly. Although it is a slow polymorphic type, it is the most complex virus ever written in the year 2000. Some layers may be easily detected while most cases are difficult to detect. Explorer.exe is the main host used by this virus. When it is controlled, the virus gets the API addresses such as CreateFileA, WriteProcessMemory and IsDebuggerPresent which can be used for checking the checksum of API strings.
The virus begins to search for PE files to spread its infections. Checksum files that are infected are deleted. These files include antivirus software like the avp.crc, anti-vir.dat and ivp.ntz. In some cases, infection of the virus on Explorer.exe causes page fault errors. This allows to automatically load itself once an error occurs.
There is no easy manual removal of this virus. Antivirus software may be required.