Win32/IRCBot.GF is a worm that propagates via exploit, network shares, removable drives and instant messaging applications.

When executed, Win32/IRCBot.GF drops a copy of itself as "SbCtri.exe" in the %System%\drivers folder with Read, Hidden and System file attributes set.

It modifies the file "sfc_os.dll" to totally disable System File Protection. It also modifies the file "tcpip.sys" to gain optimum speed in transmitting its executable over network shares.

IRCBot.GF saves the original copy of "sfc_os.dll" to %System%\trash(random string).

More information can be found at this Computer Associates page.