Virus Database

Win2K.Team.a

Description Win2K.Team.a

Team is a Windows 2000/XP compatible companion virus using the "stream companion" infection method. This method is based on an NTFS feature that allows the creation of multiple data streams associated with a file.
NTFS Streams
Each file contains at least one default data stream that is accessed just by the file name. Each file may also contain additional stream(s) that can be accessed by their individual or specific names (filename:streamname).
The default file stream is a file body itself (in pre-NTFS terms). For instance, when an EXE file is executed the program is read from the default file stream; when a document is opened, its contents are also read from the default stream.
Additional file streams may contain any data. The streams cannot be accessed or modified without reference to the file. When the file is deleted, its streams are deleted as well; if a file is renamed, its streams follow its new name.
Windows has no standard tools to view/edit file streams. To "manually" view file streams you need to use special utilities such as the FAR utility with a file streams support plug-in (Ctrl-PgDn displays file streams for the selected file).
Virus Execution
The virus itself is a Windows application (PE EXE file) about 4K in size. When run it executes the host file tries to infect all EXE files in the current directory. If the host file is absent, the virus shows the following message before infecting files:

While infecting a file the virus creates a new stream associated with the victim file, this stream has a "ccc" name extension, i.e. the complete stream name is "FileName:ccc". The virus then moves the victim file's body to the "ccc" stream and then overwrites the victim file's body (default stream) with its virus code.
During infection, Team makes a copy of itself under the name 2002. After infection is complete Team deletes this file.
As a result, when the infected file is executed Windows reads the default stream that was overwritten by the virus code and executes it.
Windows reports the same file size for all infected files.
To release control to host programs the virus creates a new process by accessing the original file program using the naming convention FileName:ccc.
This infection method should work on any NTFS system, but the virus checks for the system version and runs only under Win2000/XP.

Check other viruses! Be aware! Use Antiviral Software

Squatter.9742

Description Squatter.9742

This is a dangerous memory resident parasitic highly polymorphic and stealth virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. Depending on their counters the virus also infects the "C:DOSKEYB.COM" file, if it exists. The virus does not infect the anti-virus programs SCAN, TBAV, F-PROT. It also deletes the anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS.
Because of bugs in the polymorphic engine the virus often cannot decrypt itself and halts the computer. On May 24th the virus displays the messages:
Squattering your system has become by hobbie :)
-SQUATTER v1.2- Coded by The Mental Driller/29A
This virus also contains the text:
[MeDriPolEn v0.1]

Squawk.852

Description Squawk.852

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. It beeps by the PC speaker and contains the text:
Nguyen Van Cuong - Saigon IBM comppany.

Home