Virus Database

Trojan.Win32.Xalnaga.a

Description Trojan.Win32.Xalnaga.a

This is a Win32 Trojan horse. When run, it modifies the Registry keys listed below and exits. The resulting effect of the Trojan running is the fact that Windows stays mostly non-functional: all icons on Desktop are removed, so it is not possible to reboot the machine in the usual way, etc.
The Trojan has the "copyright" string:
Tyrant-28881 {T-28881} virus
The affected registry keys are:
Key1:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoDesktop = 1
Key2:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionWinlogon

NoRun = 1
NoFind = 1
NoClose = 1
Key3:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

DisableRegistryTools = 1
Key4:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWinlogon

LegalNoticeCaption = <<< Xal Naga was here >>>
LegalNoticeText = The human era has come to an end, the new breed of humans will evolve right now !!! Behold and despair !!!
The results are:
all icons are removed from Desktop (key1)
the "Start" menu items are removed: Run, Find, Shut Down (key2)
standard Registry editors under WinNT are disabled(key3)
message box displayed on logon: (key4)

Because of a bug in the Trojan, Key3 is written to the Registry in an incorrect form, and this action doesn't function - it is possible to run Regedit and repair affected keys.
Repair: set these keys to '0' or delete them.
Regedit.exe run: select StartProgramsWindows Explorer, then browse for Regedit.exe and run it.

Check other viruses! Be aware! Use Antiviral Software

Poopie.284

Description Poopie.284

This is a very dangerous non-memory resident overwriting virus. It searches for .COM files of the current directory of the C: drive and C:DOS directory, and overwrites the files. On the 30th of any month, the virus erases the disk sectors, and on Sundays, it sets the current date to January 1, 2000. The virus contains the following text strings:
*.COM DOS
[Poopie/MDK]

PoorMan.1168y

Description PoorMan.1168y

It is a dangerous nonmemory resident parasitic virus. Being executed it infects "C:COMMAND.COM", "C:DOSCOMMAND.COM" and "COMMAND.COM" files, then it searches for .COM files of current directory and infects them. It writes itself to the end of the file. Depending on the current time it displays the message and erases MBR of hard drive, the message is:
Good morning, sir! How nice it is! Please give me some money, I,m a poor
man. Do some good things, sir!

Home