Win32/Ryknos creates a copy of itself in the Windows system folder. The file name begins with "$sys$" and may be a name like $sys$drv.exe or $sys$xp.exe. The Trojan attempts to enter this name in a registry key to cause the Trojan to run automatically each time Windows starts.
The Trojan takes advantage of the stealth functionality of rootkit WinNT/F4IRootkit if the rootkit is already installed on the target computer. The rootkit hides certain names on the system that are prefixed by $sys$, such as names of files, processes, and registry entries. The Trojan file name, process name, and registry entry name begin with $sys$, so the effect is that the rootkit hides the Trojan from the user.
Win32/Ryknos uses the netsh command to configure the Windows firewall so the Trojan can exchange data over the network. The Trojan can connect to several IRC servers at a time to receive commands from attackers, who can then take complete control of the infected computer.
Like other Trojans, Win32/Ryknos does not have its own spreading mechanism. It can be distributed in numerous ways, for example, through e-mail, file-sharing, network shares, or file downloads.