When run, it captures screenshots and saves them and encrypts them, and sends the pictures to the creator. The file size varies upon versions and variants.
While being installed the trojan copies itself to Windows system directory with the with the name "SERVICES.EXE" and registers the file in the system registry with the auto-run key:
It also writes an "auto-run" command to the "SYSTEM.INI" file to "shell=" instruction. The captured screens are stored to SPCSPC*.* files in Windows system directory.