Virus Database

Trojan.Clicker.NetBuie a-b

Description Trojan.Clicker.NetBuie a-b

NetBuie is a trojan horse that carries out periodic "clicks" or "hits" on banners held by the person or persons who created this virus; the purpose rating (value). The virus is a self-extracting ZIP-archive containing two EXE-files. Both files are written in Visual Basic 6.0 and is being distributed under the appearance of an XBox emulator.
Below are descriptions for NetBuie variants A and B:



NetBuie.a
Upon launching this variant of the NetBuie Trojan it unpacks the two EXE-files into the Windows system directory under the names %WinDir%SystemNBConfig.exe and %WinDir%SystemNetBUIE.exe.
Next it creates new key in the register:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"NetBUIE"="C:\windows\system\NetBUIE.exe"
Once this is done Netbuie executes the file NBConfig.exe and them displays the following false message:

NetBuie then starts the NetBUIE.exe program that periodically and clandestinely starts the web-browser and directs it to one of three web addresses:

http://hg1.hitbox.com/HG?hc=w114&cd=1&hb=WQ500421D7CZ38EN0&n=Stealth4
http://fastcounter.bcentral.com/fastcounter?1817391+3634789
http://www.scorpionsearch.com/admin.html



NetBuie.b
Upon launching this variant of the NetBuie Trojan it unpacks the EXE-files into the Windows system directory under the names %WinDir%SystemDConfig.exe ³ %WinDir%SystemStealthXP.exe.
Next it creates new key in the register:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]
"NetBUIE"=""
"StealthXP"="C:\WINDOWS\SYSTEM\StealthXP.exe"

Once this is done Netbuie executes the file DConfig.exe and them displays the following false message:

NetBuie then starts the StealthXP.exe program that periodically and clandestinely starts the web-browser and directs it to one of three web addresses:

http://hg1.hitbox.com/HG?hc=w114&cd=1&hb=WQ500421D7CZ38EN0&n=Stealth4
http://fastcounter.bcentral.com/fastcounter?1817391+3634789
http://www.scorpionsearch.com/admin.html

Check other viruses! Be aware! Use Antiviral Software

Kiuca family

Description Kiuca family

These are harmless memory resident multipartite viruses. They infect COM and EXE files as well as the boot sector of C: drive. When an infected file is executed, the viruses infect the hard drive - they write their code and the original boot sector of C: disk to the track/head 0/0 on the hard drive and overwrite the C: disk boot sector with their loading routine.
While loading from infected hard drive the virus copies itself to the top of system memory, hooks INT 1Ch, waits for DOS loading process, then hooks INT 21h and when any program is executed, completes installation routine - allocates a blocks of DOS memory and copies itself to there. As a result the virus does not decreases the total size of DOS memory, but places itself between DOS kernel and COMMAND.COM. The virus then writes itself to the end of COM and EXE files that are created and then closed.
The virus several tricks to avoid detection by integrity (CRC) checker. It infects only newly created files, or files that are restored from archives of backup, as a result there is no information about these files in CRC databases. To hide infected boot sector the virus disinfects it when any program (including anti-viruses) is executed, and re-infects on termination. As a result the disk boot sector is infected only when there are no programs in the system memory.
The virus contains the text strings in Russian and English:
(c) Light General.Kiev.KIUCA.1996.NOT for free use.

Kiwi.550

Description Kiwi.550

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files. It contains the text:
I'm KIWI-586.(C) Vegetable-Soft,1992.DOS AIDSTEST

Home