Virus Database

Trojan.Win32.KillAV.bl

Description Trojan.Win32.KillAV.bl
This is a primitive Win32 Trojan. The size of the executable file is 32238 bytes.
The program searches for and deletes the services and processes listed below:
claw95cf
claw95ct
cleaner
cleaner3
cmgrdian
connectionmonitor
cpd
cpdclnt
ctrl
defalert
defscangui
defwatch
dllhost
doors
dv95
dv95_o
dvp95
dvp95_0
ecengine
edi
efinet32
efpeadm
esafe
espwatch
etrustcipe
evpn
expert
f-agnt95
fameh32
fch32
fih32
findviru
fnrb32
fprot
f-prot
fprot95
f-prot95
fp-win
frw
fsaa
fsav32
fsgk32
fsm32
fsma32
fsmb32
f-stopw
gbmenu
gbpoll
generics
gibe
guard
guarddog
iamapp
iamserv
iamstats
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
icsupp95
icsuppnt
iface
iomon98
isrv95
jed
jedi
kpf
kpfw32
ldnetmon
ldpromenu
ldscan
lockdown
lockdown2000
lookout
luall
lucomserver
luspt
mcagent
mcmnhdlr
mcshield
mctool
mcupdate
mcvsrte
mcvsshld
mgavrtcl
mgavrte
mghtml
minilog
monitor
moolive
mpfagent
mpfservice
mpftray
msblast
msconfig
mspatch
mwatch
n32scan
n32scanw
nai_vs_stat
nav32_loader
navap
navapsvc
navapw32
navauto-protect
navengnavex15
navlu32
navnt
navsched
navw
navw32
navwnt
ndd32
neowatchlog
netutils
nisserv
nisum
nmain
nod32
normist
notstart
nprotect
npscheck
npssvc
nsched32
nsplugin
ntrtscan
ntvdm
ntxconfig
nui
nupdate
nupgrade
nvc95
nvsvc32
nwservice
nwtool16
ogrc
outpost
padmin
pavcl
pavproxy
pavsched
pavw
pcciomon
pccmain
pccntmon
pccwin97
pccwin98
pcfwallicon
pcscan
penis32
persfw
perswf
pop3trap
poproxy
portmonitor
processmonitor
programauditor
pview
pview95
rapapp
rav
rav7
rav7win
realmon
regedit
rescue
rtvscn95
rulaunch
safeweb
sbserv
scan32
scan95
scanpm
scrscan
scvhosl
serv95
smc
smss
sphinx
spider
spyxx
ss3edit
sweep
sweep95
sweepnet
sweepsrv.sys
swnetsup
symproxysvc
symtray
syshelp
taumon
tbscan
tc
tca
tcm
tcpsvs32
tds2
tds2-98
tds2-nt
tds-3
tfak
tftpd
vbcmserv
vbcons
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vir-help
vpc32
vptray
vscan
vscan40
vsched
vsecomr
vshwin32
vsmain
vsmon
vsscan40
vsstat
watchdog
webscan
webscanx
webtrap
wfindv32
wgfe95
wimmun32
wingate
winhlpp32
wink
winmgm32
winppr32
winservices
wradmin
wrctrl
zapro
zonalarm
zonealarm
_avp
_avp32
_avpcc
_avpm
_findviru
ackwin32
advxdwin
agentw
alertsvc
alogserv
amon
amon9x
anti-trojan
ants
aplica32
apvxdwin
atcon
atguard
atupdater
atwatch
autodown
autotrace
avconsol
ave32
avgcc32
avgctrl
avgserv
avgserv9
avgw
avkpop
avkserv
avkservice
avkwctl9
avnt
avp
avp32
avpcc
avpdos32
avpm
avpmon
avpnt
avptc32
avpupd
avsched32
avsynmgr
avwin95
avwinnt
avwupd32
avxmonitor9x
avxmonitornt
avxquar
avxw
azonealarm
blackd
blackice
bootwarn
ccapp
ccshtdwn
cdp
cfgwiz
cfiadmin
cfiaudit
cfind
cfinet
cfinet32
claw95

Check other viruses! Be aware! Use Antiviral Software

CMOS.a

Description CMOS.a

It is a dangerous memory resident stealth boot virus. It corrupts the CMOS memory. On loading from infected disk the virus copies itself to the address 9F80:0000, hooks INT 13h and writes itself to the MBR of the hard drive and the boot sectors of the floppy disks. The original MBR is saved to the second sector on the hard drive, the boot sector of floppy disk to the last sector of root directory on the disk.

CmosDead family

Description CmosDead family

These are very dangerous memory resident parasitic polymorphic and stealth viruses. They trace and hook INT 21h, stay memory resident and then write themselves to the end of COM and EXE files that are accessed. The viruses do not infect the anti-virus programs and several utilities:
AVG SYS SCAN CLEAN WIN TBAV PROT GUARD VS 286 386 DSK

When CHKDSK is run, the viruses disable their stealth routines. In some cases when listed above programs are executed, the viruses display the message and disable executing:
I don't like this program !

The viruses use anti-debug tricks. Under debugger they display the message and halt the computer:
BE CAREFUL !

Depending on their internal counters the viruses hook INT 9 (keyboard), corrupt the CMOS, display the message:
GRISOFT(c) SOFTWARE 1989,96

and manifest themselves with a video effect. If Ctrl-Alt-Del keys are pressed during effect, the viruses call disk formatting BIOS routine.
In some cases the viruses call the same effect routine, then they overwrite the MBR of the hard drive with a program that displays on booting:
CMOS-DEAD: DATA DESTROYED !

The viruses also contain the text string:
Hello Mr. Odehnal !

as well as:
"Odehnal.4792": EXECOM12/19/91
"Odehnal.5154": EXECOM06/12/95

Home