Virus Database

TrojanSpy.Win32.Tofger.s

Description TrojanSpy.Win32.Tofger.s

This Trojan is written in Assembler; the main component is approximately 17KB in size.
Once launched, the Trojan searches for all text files on disks c, d and e, and saves the names of these files and paths to them for subsequent use.
Once it has finished doing this, it causes a window with the header Symantec Team Antivirus Tools to be displayed.

Installation
When installing, the Trojan saves its main component svchost.exe to the Windows system directory and registers this file in the system registry. This ensures that the file will be run each time the system is rebooted.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnline Service]
The Trojan also creates two additional files in the Windows directory:
sysini.ini - a file containing information harvested from the victim machine
msto32.dll - a key logger program
Payload
The Trojan downloads updates to itself from the following addresses:
http://161.58.226.xx/unity/Updates/1.exe
http://161.58.226.xx/unity/Updates/2.exe
http://161.58.226.xx/unity/Updates/3.exe
It then copies them to the Windows system directory under the name surte.exe and launches them. It harvests a variety of information from the victim computer, including key strokes and the contents of the clipboard, and periodically sends them to the author of the program.

Check other viruses! Be aware! Use Antiviral Software

Playgame.2000

Description Playgame.2000

This is a benign memory-resident multipartite virus. While executing an infected file, the virus writes itself to the hard drive MBR, and returns control to the host program. The virus stays memory resident upon loading from an infected disk only. The virus hooks INT 13h and 21h, and writes itself to the end of accessed EXE files.
The virus contains the string "CO4DSCCLVSNEHTTBVIF-FIGIIMRAFEMTBR", and does not infect files if the first two bytes of the file name consist of two characters from this string (CO*.*, 4D*.*, SC*.*, all). This virus also contains the text string:
[ MK / TridenT ]
In December, this virus starts a game, and, while playing the game, it displays the following message:
HAPPY VIRUS Time to play a game (Use shift keys)
You reached level Play again?

Plovdiv Family

Description Plovdiv Family

There are very dangerous memory resident parasitic viruses. They hook INT 21h.
Plovdiv.800
It copies itself to two areas of the system memory: the DOS data area at address 0000:0600 and the highest address of 640K RAM. It writes itself to the beginning of .COM files. It formats the disk sectors, and contains the texts:
*.com
(c)Damage inc.Ver 1.1,Plovdiv,1991

Plovdiv.984,1000
They write themselves to the end of .COM and .EXE files. They format the disk sectors, contain the texts:
Plovdiv.984 : (c)Damage inc. Ver 1.3 1991 Plovdiv S.A.
Plovdiv.1000: (c)Damage inc. S.A. Ver 1.3B IX.91 Plovdiv

Home