Virus Database

Trojan.Win32.Glieder.gen

Description Trojan.Win32.Glieder.gen

This Trojan is designed to secretly download and launch other malicious programs on victim machines. It has two components (files); the first file, when launched, copies itself to the Windows system directory and creates an entry in the system registry:
[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun]
This ensures that the program will be run each time the system is started.
The Trojan then saves the second component to the Windows system directory and injects it into the explorer.exe process. All actions then appear to be conducted by the explorer.exe process.
The Trojan:
disables Windows Firewall
prevents antivirus databases of a range of antivirus software from being updated
downloads malicious programs from a large number of sites (a list of sites is coded into the body of the Trojan) and then launches them on the victim machine.

Check other viruses! Be aware! Use Antiviral Software

Ida.1490

Description Ida.1490

It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM files that are accessed. The virus polymorphic engine is quite sophisticated: the virus decryption loop does not contain decryption key "in clear" - it tries to decrypt the virus code with different keys, calculates CRC of decrypted data and passes control to the virus code if CRC is ok. This engine has a bug and in some cases the virus cannot decrypt itself and the system halts.
The virus looks for the text "VERA" on the screen and appends "I Veronika !". The virus also contains the text:
[IDA] v0.01 Serg_Enigma

IDEA.6126

Description IDEA.6126

It is not a dangerous memory resident polymorphic parasitic virus. The virus code is encrypted three times - first loop is polymorphic, other loops are not polymorphic, but they use IDEA encryption algorithm. As a result virus decryption is a quite complex task, and when an infected file is executed even Pentium computers "sleep" for a second or two while the virus decrypts itself.
The virus then hooks INT 21h and stays memory resident. When COM and EXE files are executed, the virus writes itself to the end of the file. The virus does not infect COMMAND.COM and several anti-virus programs (TBAV, AVP, NAV, FINDVIRU, F-PROT, all) according to the string (two letters per name):
TBVIAVNAVSFIF-FVIVDRSCGUCO

After infecting the virus opens the ANTI-VIR.DAT file (if exists) and patches just infected file name in there - replaces the first character in file name with 01h (Smile ASCII).
When ZIP files are accessed by FindFirst/Next DOS commands, the virus adds an infected README.COM file to the ZIP archive. While infecting the virus drops a file on disk, infects it, appends infected file to the archive and then modifies archive structure. As a host file the virus uses one of three simple video-effect programs that keeps in its code. When executed these programs manifest themselves by a video effect and display the messages:
Downloaded From
http://www.narkotic.com/~vico
Da BeSt BoaRd In SPaiN: El GriLLo Loco (34-1-352 24 45)
* ROADKILL BBS *
Call now 028-6621590

While infecting ZIP archives the virus creates three temporary files: DIR.SKA, END.SKA, ADD.SKA.
At 15:30 the virus creates the C:VIRUS.COM file, writes the standard EICAR anti-virus test file to there, manifests itself by a video effect and displays the rotated message:
Warning!
strong
crypto
inside

The virus also contains the text strings:
IDEA virus (c) Spanska 98
Thx to Rajaat (poly),
F Mirza (IDEA),
Wild Worker (zip),
Solar D (road)

Home