Virus Database

TrojanDownloader.Win32.Greetyah.a

Description TrojanDownloader.Win32.Greetyah.a
Greetyah downloads a file from the internet and sets an auto-run key in the system registry in order to establish automatic starts.
A mass mailing of this trojan program was detected on March 17th, 2003. Message text appears as follows:
Date: Mon, 17 Mar 2003 14:57:57
From: replymsg@g1.gc.vip.sc5.yahoo.com
To: Ivan Petrov
Subject: Elena_M sent you a Yahoo! Greeting

Yahoo! Greetings
Surprise! You've just received a Yahoo! Greeting
from from "Elena_M" (elena_m@mail.ru)!

To view this greeting card, click on the following
Web address at anytime within the next 30 days.

http://view.greetings.yahoo.com/greet/view?***********

If that doesn't work, go to http://view.greetings.yahoo.com/pickup
and copy and paste this code:

BJWU37Y2S4A

Enjoy!

The Yahoo! Greetings Team
c 1996-2003 Yahoo! Greetings http://greetings.yahoo.com/

The program's size is 3072 bytes and is written in the Assembler programming language.
At start the program displays the following message box:

Next the program downloads the file:
sysman32.exe

from the site:
http://view-greetings-yahoo.com

The file "sysman32.exe" contains the other trojan program:
Trojan.WebMoney.WMPatch.b

The trojan program copies this file to the Windows system directory and establishes an auto run key (for automatic starts) in the system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SystemManager=sysman32.exe

The program also contains the following encrypted strings:
Error Error on line 25: invalid object
Do you want to debug? InternetOpenA InternetOpenUrlA InternetReadFile
RegOpenKeyA RegSetValueExA RegCloseKey CloseHandle CreateFileA
GetSystemDirectoryA WriteFile wininet.dll advapi32.dll kernel32.dll

Check other viruses! Be aware! Use Antiviral Software

Avalon.814

Description Avalon.814

It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. On 31th the virus erase the MBR of the hard drive, hooks INT 1Ch, decrypts and displays the message:
AVALON por OSoft

Avatar.Acid.670

Description Avatar.Acid.670

These are very dangerous parasitic viruses. Some of them corrupt disk sectors. They contain the internal texts:
"Avatar.Acid.670,674": [Binary Acid] (c) 1994 Evil Avatar
"Avatar.Acid.736": Virus ANuBiS v.1.0 (c) 1994 Æ Ü !
Realizado en Argentina [AVRL]
This is only the beginningall
"Avatar.BigBang.346": [Big Bang] (c) 1993 Evil Avatar *.COM
"Avatar.Dichotomy": [Dichotomy] (c) 1994 Evil Avatar
[Dichotomy]
"Avatar.K_Rad.561": Made in the USA
[k-rad] by Evil Avatar
"Avatar.Positron.512": [Positron] (c) 1994 Evil Avatar

Avatar.Acid
These are memory resident viruses. They hook INT 21h, and write themselves to the end of COM and EXE files that are executed. On Monday, they erase a randomly selected disk sector.
Avatar.BigBang.346
This is a non-memory resident virus. It searches for .COM files and writes itself to the end of the file. On January 1st, it corrupts the MBR of the hard drive.
Avatar.Dichotomy
This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of files that are being executed. It correctly infects COM files only, but also infects EXE files. Infected EXE files cannot replicate, they halt the system when executed.
This virus infects files by different manners. The sequence of executed files is divided into two sub-sequences - "odd" files and "even" ones. The virus splits itself into two parts (296 and 567 bytes), and writes the first part to the end of "even" files, and appends the second part to the end of "odd" files. The "even" files are infected by a standard "virus" manner: the first three bytes of the file are replaced by a "JMP Virus" instruction. The beginning of "odd" files is not changed, these files do not replicate the virus upon infection.
Upon execution of an "even" file, the first part of the virus searches for an "odd" file (its name is stored in the code of first part), reads the second part into the system memory and stays resident.
In some cases, the memory resident copy of that virus writes both parts of the code into the same file: upon infection, the files on floppies and the first part of the virus cannot locate the second one.
This is the first virus, which uses this a'la "binary arm" algorithm: this virus replicates itself if there are two infected files with different parts of the virus.
Avatar.K_Rad
It is a benign memory resident parasitic virus. It hooks INT 9 and 21h, and writes itself to the end of EXE files that are executed. By hooking INT 9, it capitalizes (on the screen) the letters that are entered via the keyboard.
Avatar.Positron
This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are executed.
The virus does not overwrite the file header with the JMP_Virus instruction, but writes it to the file middle. When the file is executed, the virus passes that call and doe not infect the file, but waits for the first INT 21h call when the file is working. When that call is detected, the virus calculates the address from where the call goes, and writes a JMP_Virus instruction there. As a result, that virus receives control not from the file beginning, but from the file middle, at the offset of first INT 21h call.
The virus may corrupt packed and some other types of files. These files halt the system when they are executed.

Home