When executed, the virus creates a thread that is going to allow it to bypass Zone Alarm. When Zone Alarm alerts the user that a program wants to access the internet, the virus finds that window, searches the text within it to see if it’s related to the virus name and then attaches to the thread that created the window so it can send input. The virus moves through the window controls(by simulating the tab key) and checks the option “Remember this setting” and then clicks the Allow button.
After the rule for the firewall was added, the virus tries to download and execute a file from:
http://www.freescan[hidden]/programs/winsock.exe. The downloaded file is currently detected as Generic.Malware.SIFYd.7e8A093d