Virus Database

Trojan.PSW.CrazyBilets

Description Trojan.PSW.CrazyBilets

This program belongs to the family of passwords stealing trojans. It was spread from a public access Web page on the narod.ru server in the beginning on June 2002.
The web page contained the following:
Intermediate Examinations
Test papers for mathematics and topics for compositions. Still FREE!

The file residing on the web page is a Trojan installer. When run it drops a Trojan program into the Windows directory, then extracts and createes fake examination topics (in Russian).

The Trojan itself is a Windows PE EXE file about 27Kb in length (compressed by UPX, the decompressed size is about 83Kb) and written in Delphi.
When executed the Trojan copies itself to the Windows directory under the SYSTEM.EX name and registers this file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
System = %WindowsDir%System.exe

The main function for the CrazyBilets Trojan are collecting cached Windows passwords on victim machines and sending this information to its "master" by direct connection to an SMTP server.

Check other viruses! Be aware! Use Antiviral Software

Hello.731

Description Hello.731

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus contains the text:
hello

HelloBaby.962

Description HelloBaby.962

It is not a dangerous memory resident parasitic virus. It hooks INT 1Ch, 21h, intercepts DOS function GetDiskSpace, and when that function is called the virus searches for .EXE-files and writes itself to the end of the file. On January, 1st the virus decrypts and displays the message:
HELLO,BABY! I LOVE YOU

Home