W32/Autorun-XC runs continuously in the background, providing a backdoor server that allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Autorun-XC copies itself to \wmisys.exe and creates the file \drivers\sysdrv32.sys.

The file wmisys.exe is registered as a new system driver service named "WMISYS", with a display name of "WMI System App" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\WMISYS

More information can be found at this Sophos page.