A file named help.pif in the c:\windows\system folder 
is run on boot up out of the registry under a listing of Windows Help Engine.
It is delivered by a file named iQtcy.exe which I found in c:\windows\temp on a 
PC I was working on. I don't know how the file got there but I did find the
JS.Exception.exploit virus once Norton anti-virus was reinstalled.

The help.pif file seems to contain a corrupted version of mIRC 6.02 client
mIRC has been attacked by other worms such as the IRC/Flood trojan virus.

Norton Anti virus does not detect it, Zone Alarm will see it trying to 
communicate. Using the Ethereal packet sniffer  I found
it communicated from ports 1238,1028,1039,
to myuse.isasecret.com : 6667 via TCP, but also seems to try and
use Netbios - it was querying  port137 to
h8m.ath.cx  and nstserv.cjb.net

It has been found before on someones desktop but other then that 
there is very limited info out there. I have submitted the file 
to several anti-virus companys.

traceroute to myuse.isasecret.com (1.1.1.1), 30 hops max, 38 byte packets
• 1 iocom-pnet-FA0-0.iocomcorp.net (206.224.79.77) 2.192 1.410 1.364
• 2 aus-gw-S2-0-DS3.iocomcorp.net (206.224.79.37) 3.689 1.709 1.793
• 3 209-99-107-65.texas.net (209.99.107.65) 2.130 2.045 2.500
• 4 lc1.gw1.aus1.texas.net (216.166.60.1) 2.179 1.770 2.021
• 5 12.124.219.45 (12.124.219.45) 2.632 !H * 2.389 !H

traceroute to h8m.ath.cx (1.1.1.1), 30 hops max, 38 byte packets
• 1 iocom-pnet-FA0-0.iocomcorp.net (206.224.79.77) 3.004 2.295 1.785
• 2 aus-gw-S2-0-DS3.iocomcorp.net (206.224.79.37) 3.933 2.416 2.248
• 3 209-99-107-65.texas.net (209.99.107.65) 4.453 2.921 5.787
• 4 lc1.gw1.aus1.texas.net (216.166.60.1) 3.992 2.557 2.446
• 5 12.124.219.45 (12.124.219.45) 2.745 !H * 2.764 !H

traceroute 'nstserv.cjb.net': Note: this may take up to a minute.
• traceroute to nstserv.cjb.net (0.0.0.0), 30 hops max, 38 byte packets
• 1 localhost.localdomain (127.0.0.1) 0.416 0.151 0.142