Troj/Dloader-AP downloads and executes the file sys1st.exe which is detected by Sophos Anti-Virus as Troj/Dloader-AR.
The Trojan copies itself to the Windows folder with the filename win.exe and creates the following registry entry so that the Trojan is run when Windows starts up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winhost = win.exe.
A file may be created in the root folder with the filename mc.com. This file can be safely deleted.