Virus Database

Win32.HIV

Description Win32.HIV

This is a dangerous per-process memory resident Win32 virus infecting PE EXE files (Windows applications) and MSI archives, "upgrading" itself from the Internet, and possessing E-mail spreading abilities. The virus is encrypted and uses "Entry Point Obscuring" technology to hide itself in infected files. The virus has about 6K of length.
The virus uses anti-debugging tricks and halts a machine if SoftICE or another debugger is detected in the system.
The virus also tries to disable the Windows file protection. To do that, it infects system files that are responsible for file protection: it overwrites the DEFAILT.SFC file with empty data (under Win98) or SFCFILES.DLL (under Win2000). This trick should work under Win98, and should not work under Win2000, where the system either blocks access to SFCFILES.DLL, or immediately restores it from backup.
Infection
To infect *.EXE files, the virus looks for them in the current directory, and writes itself to the file end. To get control, the virus does not modify the program start up address, but instead looks for standard program subroutines header/footer and patches a footer with a JMP_Virus instruction. As a result, the virus cannot activate at the moment an infected file is being run, but rather when an infected routine is executed (when the corresponding branch gets control).
The virus then stays in the memory as a component of the infected program, hooks several file access functions, and infects EXE files that are accessed by the infected program. So the virus is active in the Windows memory up to the moment an infected application is terminated.
In some cases, being run on an NTFS machine, the virus creates an additional NTFS stream (ADS) with the ":HIV" name ("filename.ext:HIV") in infected files and writes the following "copyright" text there:
This cell has been infected by HIV virus, generation:
0xNNNNNNNN
where NNNNNNNN is virus "generation" number.
MSI archives
The virus also intercepts access to MSI archives, opens them, looks for PE EXE files in there and infects them by overwriting the program entry routine with code that displays the following message when run:
[Win32.HiV] by Benny/29A
This cell has been infected by HIV virus, generation: 0xNNNNNNNN
where NNNNNNNN is virus "generation" number.
HTML files infection
The virus also looks for *.HTML files in the current directory and replaces them with XML files by adding a .XML extension to them:
Clean file: File.html
Infected file: File.html.xml
The virus then hides infected XML files using a trick: it sets a registry key that causes Windows not to show extensions for XML files; changes the XML files icon; and places the standard HTML files icon there. As a result, infected HTML files (that actually are XML files after being infected) are displayed by Explorer as standard HTML files in the files list. So, an infected "File.html.xml" will be shown as "File.html" with a HTML file icon.
The script program written by the virus to infected HTML files gains access to an Internet zone and opens the file there:
http://coderz.net/benny/viruses/press.txt
In reality, this is not a TXT file, but rather a XML file that is processed by Internet Explorer as a standard Web page (despite the fact that the file has a TXT extension). The script program, in a PRESS.TXT file, downloads a MSXMLP.EXE file from the same site, and registers it in the auto-run Registry section:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HIV = c:MSXMLP.EXE
The MSXMLP.EXE file that is found in there is a standard Windows application with a new virus version in it. So, the virus author can "upgrade" the virus on infected machines, or install a Trojan.
Email spreading
The virus opens the WAB database (Windows Address Book), obtains e-mail addresses from there and sends messages that contain the following:
From: press@microsoft.com
Sent: 2010/06/06 22:00
Subject: XML presentation
Message:

Please check out this XML presentation and send us your opinion.
If you have any questions about XML presentation, write us.
Thank you,
The XML developement team, Microsoft Corp.

Attached file: press.txt
The attached PRESS.TXT file is the same XML script program as used by the virus while infecting HTML files. So, when a user activates PRESS.TXT, a virus copy is downloaded to the computer and registered in the system registry.
The virus saves that PRESS.TXT file in the C: drive root directory: C:PRESS.TXT.
While sending messages, the virus uses the MAPI library, so it does not depend on the Mail system installed on the computer.
The known virus version has a bug in the mailing routine, and fails to send messages.

Check other viruses! Be aware! Use Antiviral Software

Cheeba.1683

Description Cheeba.1683

This is a memory resident harmless virus which infects COM and EXE files by standard manner. It infects the memory only if the INT 13h vector points to memory area with address lesser than address of the first MCB. The virus changes the first 5 bytes into INT 13h, 21h, 22h handlers to instruction FAR JMP to virus body. It contains the string "CHEEBA Makes Ya High Harmlessly F**K THE LAMERS". It also contains the area of a code which is decrypted and executed only while some file is opened. The name of this file is the key of decryption.

Chek1.282

Description Chek1.282

It is a harmless memory resident parasitic virus. It copies itself into Interrupt Vectors Table, hooks INT 21h and writes itself to the end of .COM-files that are accessed with FindNext ASCII (AH=4Fh) DOS function.
The virus contains the internal text string:
CheK1

Home