TrojanDownloader.Win32.WebDown.10
Description TrojanDownloader.Win32.WebDown.10
The Webdown virus program belongs to the trojan downloader family. The "trojan package" contains two files (components):
Editor component
Trojan server component
The Editor allows a hacker to select a Web page address to download a file from, and the file name to where the file will be downloaded to. Then the Editor creates a small (up to 3K in size) Server Win32 PE EXE file.
When the Server is run on a victim machine, it downloads and runs that file in the system.
The Server doesn't install itself into the system and doesn't have any other function except downloading a file and executing it on victim machines.
Webdown editor screen shots:
Check other viruses! Be aware! Use Antiviral Software
Linux.Vit.4096
Description Linux.Vit.4096
This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. This is the second known Linux virus, the first being "Linux.Bliss".
Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.
When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers.
Clean file: Infected file:
+---------------+ +---------------+
| ELF Headers |--+ | ELF Headers |--+
| | | | | |
|---------------| | |---------------|<-+ virus entry
| Section 1 |<-+ entry +-| Virus | address
| | address | | - - - - - - - |
|---------------| +>| Section 1 |
| Section 2 | | |
|---------------| |---------------|
. . . | Section 2 |
|---------------| |---------------|
| Section n | . . .
+---------------+ |---------------|
| Section n |
+---------------+
The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.
While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).
Linux.Winter
Description Linux.Winter
This is a harmless non-memory resident parasitic Linux virus. It is extremely small in size for a Linux virus - just 341 bytes (in the known virus version).
When an infected file is run, the virus gains control, searches for ELF files (Linux executable files) in the current directory, then writes itself to the middle of the file to the non-used "Notes section" if there is one and it has enough size. While infecting, the virus overwrites "Notes" data in the section, but the program runs properly after that.
The virus contains the text string:
LoTek by Wintermute
The virus has a routine that sets a host name (computer name) to "Wintermute", but this routine never gains control.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Gratis Nätdejting
Vindu
Free Blackberry Ringtones
Company Of Heroes
Huddinge StÄd
|