The User Id may be ~user@*

Note: Profiles is the name used by #AVA on AUSTnet. Other networks may call this 'ExBuz'

The User Id is not fixed to any known identd by the trojan.

The trojans removal technique was created on #AVA two days after its inception. And has been removed
successfully from that time.

aka = SEXY.exe, PUTAS.exe, YOURWAY.exe, MEGAMIRC.exe, EMAILS.exe, OVERNUKE.exe, NUKESCAN.exe, SOUEU.exe,
VIDEOSEX.exe, GRANA.exe, PPPBOOST.exe, PHOTO.exe, VIAGRA.exe

When run it creates c:\windows\NEWNAME.exe where ‘newname’ is one from that list.

also creates: c:\windows\com.exe aprox 1k in size.

It then adds profiles.ini to the end of your remote files section of mirc.ini 4 times, then adds to mirc.ini

It also creates profiles.ini, read only, with /remove, /remote, /sreq, /unload and /events all aliased, some lines
sending to an echo channel.

Profiles.ini create aliases for common mirc commands ... so you cannot /remote off or /unload.

It recommended that you do /alias remote .. prior to /remote off ... and also /alias <command> prior to using
any /mirc command.

It places itself in c:\windows

Also adds :

c:\windows\com.exe

c:\mirc\download\PROFILES.INI

c:\mirc\PROFILES.INI

c:\mirc\download<virusname>.exe