Virus Database

Trojan.Win32.Lovadot.d

Description Trojan.Win32.Lovadot.d

This Trojan program is written in VB5, and compiled as a PCode application, about 46KB in size, which usually enters the system as a file named "movie.exe".
When run, it will first attempt to make a copy of itself in "c:windowssystemsysgo.exe", and will also create a batch file named "c:sysgo.bat", which is supposed to keep making copies of the "sysgo.exe" instance in the Windows (9X) startup directory, so it will get executed every time the system is started. If the operating system is not Windows 95, 98 or ME, the Trojan installation routines will fail, and the Trojan will not be executed with every system reboot.
The Trojan also inserts a line stating "sysgo" in "c:autoexec.bat", and when everything is finished, a file named "pawn.dat" is dumped in the current directory, which contains a single word, "Done". The active Trojan part does not attempt to listen to any ports, and has no backdoors inside. However, if an Internet connection is available, depending on several conditions, it will connect to the "www.loveadot.com" server, and perform a series of tasks.
The main purpose of these tasks seems to be looking through a search engine for pages belonging to or containing the keyword "kcsmith", and then to find AD ("Advertising") pop-ups in those pages, and do the equivalent of "clicking" them.
We assume that "kcsmith" has setup a certain amount of "Pay on click" pages, and is using the Trojan to make money from unsuspecting users.
Another routine in the Trojan will read the value stored in the "http://www.loveadot.com/server.txt", add it into an internal list, then the Trojan will connect to the "www.loveadot.com" server and will try to access a certain page sending the IP address as a parameter. The respective page is either no longer available, or was has not yet been uploaded. The Trojan will also attempt to access the server having the address specified in the "server.txt" file, and send various data to it. At this time, the address from "server.txt" belongs to a machine located in the US, and seems to be down.

Check other viruses! Be aware! Use Antiviral Software

Macro.Excel.Laroux

Description Macro.Excel.Laroux

This virus infects Excel sheets (XLS files). It contains two macros: auto_open and check_files. While loading an infected document, Excel executes the auto macros auto_open, and the virus gains control. The virus auto_open macro contains just one command that defines the check_files macro as a handler of the OnSheetActivate routine. As a result, the virus hooks the sheet-activate routine, and while opening a sheet, the virus (the check_files macro) gains control.
When the check_files macro gains the control, it searches for PERSONAL.XLS files in the Excel Startup directory, and checks the module count in the current Workbook.
If the infected macro is an active Workbook, and the PERSONAL.XLS file does not exist in the Excel Startup directory (the virus is executed for the first time), the virus creates that file there, and saves its code to that file using the SaveAs command. When Excel is loading its modules the next time, it automatically loads all XLS files from the Startup directory. As a result, the infected PERSONAL.XLS is loaded as well as other files, the virus gains control, and hooks the sheet activation routine.
If the active macro is not infected (there are no modules in the active Workbook), and the PERSONAL.XLS file exists in the Excel directory, the virus copies its code to the active Workbook. As a result the active Workbook is infected.
To check your system for the virus, you should to check PERSONAL.XLS and other XLS files for the string "laroux" that is present in infected sheets.

Macro.Excel.Laroux.YZ

Description Macro.Excel.Laroux.YZ

This virus is related to "Laroux". After seven infection it manifests itself by the video effect: it changes colors of cells so that the result is colored mosaic text:
larou
XYZ

Home