This virus is an encrypted VB Script virus that spreads itself by e-mail, network drive sharing and IRC client scripting abilities. The virus spreads as an e-mail message with subject "Check this". The message text is "Have fun with this cool links", and the message attachment is the actual virus.

If the attached VBS script runs it displays a message "This will add a shortcut to free XXX links on your desktop. Do you want to continue ?".

If the answer is yes the virus creates a .URL file that contains the URL "http://www.sublimedirectory.com/".

The virus also creates a c:\WINDOWS\SYSTEM\RUNDLL.VBS file and changes the Windows registry key:

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN\Rundll

so that the file runs every time the infected computer is rebooted. The RUNDLL.VBS file checks if there are mIRC or PIRCH IRC clients installed and if any of these are, the virus creates a SCRIPT.INI or EVENTS.INI file which sends the virus to other users on the same IRC channel on a JOIN channel event.

If there is a shared network disk drive, the virus will copy itself to the drive and therefore spread through a network. The virus attempts to create and send the above e-mail message to all entries in the user's Outlook address book.