Virus Database

TrojanClicker.Win32.QHost.a

Description TrojanClicker.Win32.QHost.a
TrojanClicker.Win32.Qhost is a family of Trojan horses that primarily replace or alter the HOSTS file in which corresponding IP addresses and names of remote computers are held. Usually this leads to an increase in incoming traffic to the sites. To accomplish this a rule is used for expanding file names in TCP/IP: first the HOSTS file is examined and if there is no correspondence found, names are converted so that network services permit the name (more details can be found in operating system documentation).
Once the Trojan program is run, it modifies the HOSTS file by writing to it false correspondences such as:
645238813 auto.search.msn.com
38.117.144.29 www.altavista.com

This is done so that when handled by the msn.com and altavista.com servers the operating system detects a corresponding entry in the HOSTS file and sends a request to the 38.117.144.29. IP address.
The Trojan mainly uses high traffic and well-known Internet sites in order that the stream of requests to the false IP address is as great as possible.
Evildoers may be seeking to:
organize a DoS (denial of service) attack on a server
increase traffic to his or her site in order to increase advertising value
attract potential virus victims

Check other viruses! Be aware! Use Antiviral Software

Pelf.2132

Description Pelf.2132

(aka Lindose)
This is a harmless non-memory resident parasitic multipartite virus. It infects Windows executable files as well as Linux ones (Windows PE files and Linux ELF files).
The virus is written in Assembler, and is about 2.5 Kb in size. It does not manifest itself in any way, and it is like a multiplatform Windows-Linux virus concept.
The virus contains the text strings:
[Win32/Linux.Winux] multi-platform virus by Benny/29A
This GNU program is covered by GPL.
To infect executable files of both systems, and to spread under both these system, the virus routines are separated into two blocks: the former block is activated under Windows, it then looks for Windows and Linux executable files and infects them; the latter block is activated under Linux, looking for executables files and infecting them as well.
The Windows part
It searches for the all files in the current and upper directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each (Windows version).
The Linux part
This part searches for the all files in the current directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each type (Linux version).
Infecting Windows PE files
The virus scans for the ".reloc" section. If this section is found, the virus writes itself to the middle of the file. It saves the original Entry Point address, and restores the PE file after it has finished its work.
Infecting Linux ELF files
The virus writes itself to the Entry Point of the file. It saves original data at the end, and saves code from Entry Point and restores the ELF file after finishing its work.

Pempe family

Description Pempe family

These are not dangerous memory resident parasitic viruses, "Pempe.1943" encrypted. They trace INT 13h, 21h, hook INT 8, 21h and on disk access DOS calls search for .EXE files and write themselves to the end of the file. Depending on their counters the viruses decrypt and display the message:
+-----------------------------+
| P E M P E |
| AMACC (Makati,Phils) [PM] |
+-----------------------------+

The "Pempe.1811" virus also contains the text:
PEMPE 1.2

Home