Trojan.Win32.AntiBTC
Description Trojan.Win32.AntiBTC
This Trojan arrives as an executable files (we got it named IE0199.EXE). When it is run, it extracts two files from its body (MPREXE.DLL and SNDVOL.EXE) and copies them to the Windows system directory. Note: the MPREXE.EXE executable file (not a DLL) is one of the standard Windows files.
The Trojan then registers the MPREXE.DLL file in the system to force the system to run this file upon each reboot. The registration is done depending on the Windows version either in the system registry, or in the SYSTEM.INI file in [boot] section in the "drivers=" string. The MPREXE.DLL file is pointed as auto-executed.
When executed, the MPREXE.DLL file just executes the SNDVOL.EXE file and exits. The SNDVOL.EXE file enables auto-dialing by changing the system registry Internet options, randomly selects one of three Bulgarian Web servers (www.btc.bg, www.infotel.bg, ns.infotel.bg), connects them and sleeps for some time. The Trojan does not perform any other actions.
As a result, the only possible target of this Trojan is to overhear local Bulgarian telephone lines.
Check other viruses! Be aware! Use Antiviral Software
Rodolf.4096
Description Rodolf.4096
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. On DOS calls GetDate and depending on its internal counter the virus displays the message:
Hi hi ! I'm killing you !
It also contains the text strings:
Rodolf virus Version 1.0
ED
Rogue.1206
Description Rogue.1206
This is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus deletes the CHKLIST.* files. Depending on the system date it also hooks INT 8 and displays the message:
Now you got a real virus! I'm the ROGUE all!
On the same date it corrupts the DBF files.
It contains the encrypted string:
TEDESVAMORTEQUIERODOROINIMAGINABLE 20-03-89 8:57PM
|