Virus Database

Backdoor.G_Door.20

Description Backdoor.G_Door.20

This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from a remote station.
Installation
When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_CLASSES_ROOT xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
[HKEY_LOCAL_MACHINESoftwareCLASSES xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
The name of the Windows system directory (here it is "C:\WIN98SYSTEM") depends on system configuration.
As a result of such a registration in the system registry, the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way, the server starts on Windows start-up, and restarts if its process is unloaded from the system memory by a user.
Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state.
As a result, the backdoor server-removal procedure is not a simple problem: it is impossible to remove or rename the KERNEL32.EXE backdoor server file (it is active and locked by the system); the registry keys are controlled by the server (this makes it impossible to reboot the system with a "clear" registry).
Under Win9x, to get rid of this backdoor, it is possible to boot a computer in DOS mode and remove the KERNEL32.EXE file from the Windows system directory, and after booting Windows, it is necessary to remove references to this file in the system registry. Under WinNT, it is necessary to kill the backdoor's process in Windows memory, then delete the server EXE file and clear the system registry keys.
Server
To connect to the client component, the backdoor server uses the port 7626 and periodically listens to it. When the server is connected with a client, it executes client commands and takes control over the victim computer: manipulates a victim's file system - copies files, moves, deletes, creates, etc.
Client
The client is able to scan an adjusted subnet for active servers. On connection to a server, the client gains control over a victim computer's resources. The client GUI is adapted to Chinese.

Check other viruses! Be aware! Use Antiviral Software

Louse.919

Description Louse.919

It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of .COM- and .EXE-files that are accessed. If there is "the hole" with zero bytes at the end of COM-file, the virus writes itself into there, and the file length does not grow. Depending on the system timer the virus displays the message:
Your disk is abso-fucking-lutely infested with lice!

The virus also contains the text strings:
Louse (pl. lice) - small insect living on plants, bodies of
animals, human beings and disks under dirty conditions.
(c) 01-01-1994

LoveBuzz Family

Description LoveBuzz Family

These are very dangerous memory resident parasitic viruses. They hook INT 21h and writes themselves to the end of the files. They contain the text strings:
"LoveBuzz.381": Lyubasha
"LoveBuzz.591": LoveBuzz

"LoveBuzz.381" infects .COM-files only, and corrupts them while infecting.
"LoveBuzz.591" infects .COM- and .EXE-files. When 16th infected file is executing, the virus erases the disk sectors.

Home