Virus Database

Trojan.Win32.Eurosol.20

Description Trojan.Win32.Eurosol.20

This is a Trojan horse that masks itself under the program of an actual provided credit card in exchange for viewing fifteen advertising banners. In actuality, the Trojan installs itself into a system and steals key files from the WebMoney.ru program, should this be installed on a victim's computer. This program allows users to utilize "virtual" money in the WebMoney.ru Transfer account, in which users make purchases from e-tailers (Internet retailers), and also between client systems. In addition to this, the virtual money can be converted into actual cash money, and vice versa. Additional information is available at www.webmoney.ru
Upon the Trojan's start-up, it displays a window offering a user the chance to view some advertising banners. At this point, the Trojan copies itself into the %WinDir% catalogue (installation catalogue in Windows) under the name of Netbios32.exe, and registers itself in the file System.ini:
[boot]
shell=Explorer.exe NetBios32.exe /run
In this way, the Trojan is guaranteed of being secretly started upon every system start-up. In addition to this, it checks the installed firewall ATGuard, and when detected, changes its settings so that ATGuard doesn't prevent the installation of the TCP/IP connection with the external servers. It also creates several service files in the %WinDir% catalogue.
At this point, the Trojan conducts a search of the installed WebMoney.ru file, along the way seeking the files Keys.kwm (secret key) and Purses.kwm (a virtual "wallet"). The files are encrypted and sent to an FTP server. The Trojan malefactor is then able to receive the stolen "wallet" and key to it from the server, hooking them to its personal WebMoney.ru program copy. Following this, it can transfer any money contained in the WebMoney.ru account to its own money account, or receive cash via postal transfer in the receiver's name.

Check other viruses! Be aware! Use Antiviral Software

Andromeda.758

Description Andromeda.758

It's a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of .COM-files (except COMMAND.COM). It searches for the files for infection on execution of any program. On infection it uses FCB functions of file reading/writing. On October, 5th it erases the FAT of A: drive. It contains the internal text string "[ANDROMEDA V1.1] BUDAPEST HUNGARY".

Andry.2900

Description Andry.2900
It is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed. After infecting a file the virus attempts to infect the COMMAND.COM file in the root directory on the current disk.
The virus has errors and infects files two and more times. It also installs itself in the memory so many times as infected programs are executed. As a result in some time DOS memory will be occupied by virus copy and the system will not load any application.
By hooking INT 9 (keyboard) the virus depending "eats" each 100th keystroke. On March 1st the virus displays the message:
+----------------------------------------------------------------+
| xxxxx xxx xx xxxxx xxxxxx xx xx |
| xx xx xx x xx xx x xx xx xx xx |
| xxxxxxx xx x xx xx xx xxxxxx xx |
| xx xx xx x xx xx x xx xx xx |
| xx xx xx xxx xxxxx xx xx xx |
| |
| xxxxx xx xx xxxxxx xx xxxxx xxxxxxxx xx xxxxx xxx xx |
| xx xx xx xx xx xx xx xx xx xx xx xx x xx |
| xx xxxxxxx xxxxxx xx xxxxx xx xx xxxxxxx xx x xx |
| xx xx xx xx xx xx xx xx xx xx xx xx x xx |
| xxxxx xx xx xx xx xx xxxxx xx xx xx xx xx xxx |
+----------------------------------------------------------------+
The virus then waits for March 2nd and displays:
ANDRY CHRISTIAN VIRUS WILL BE -->
ACTIVE NEXT YEAR !
The virus also contains the text string:
~INA (ž) 1997 Hackware Technology Research~

Home