Selected viruses, spyware, and other threats: sorted alphabetically
This is a polymorphic, memory resident virus for Windows 95/98. It infects the boot sector of diskettes as well as EXE files in the format “Portable Executable“ (PE). The virus is equipped with a two-phase decryptor which uses some less standard methods. When the virus is executed and decodes its body it creates the file FONO98.VXD in the directory C:\WINDOWS\SYSTEM and registers it in SYSTEM.INI, in the part [386Enh] by the string “device=fono98.vxd”. Then it deletes the file HSFLOP.PDR in the directory C:\WINDOWS\SYSTEM\IOSUBSYS. By doing this the virus has ensured approach to bios operations with diskettes drives. Upon the system restart the virus is active. It observes creating of archive files with extensions LHA, LZH, PAK, ZIP, ARJ and RAR and inserts a COM file (but the extension of that file may also be EXE) into them. It creates the name of the file from four letters randomly chosen from the alphabet in the range A to P. The file is inserted in not compressed format and after being executed it installs the virus, i.e. it is a classical “dropper“.
When the file MIRC32.EXE (a program for utilizing the IRC service) is executed the virus writes into the configuration file MIRC.INI lines “[fileserver]” and “Warning=Off”. It creates files SCRIPT.INI, SCRIPT.OLD, INCA.EXE and REVENGE.COM. If INCA.EXE is the abovementioned “dropper“ the program REVENGE.COM is finding out whether BIOS comes from the company Award. If it does, it carries out some alternations in the CMOS memory. These changes may damage computers with certain types of motherboards. When connected to an IRC channel the virus ensures automatic sending of prepared files to all participants of the chat and then observes whether specific words appear in their sentences. If someone uses the word “el_inca“, REVENGE.COM is started. If the word “ancev“ is found the one who used it is allowed approach to disk C: belonging to other participant of the chat. After writing the password “_29A_“ (the name of a Spanish group of virus writers) the program Mirc terminates its run.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.