Virus Database

Win32.HLLP.Clay

Description Win32.HLLP.Clay

This is a non-memory resident parasitic Win32 virus about 300K in length, written in Borland C. The virus looks for Win32 EXE files on the hard drive and infects them. While infecting, the virus writes its code to the end of the file as well as to the beginning of the file (see below). The virus does not manifest itself in any way.
The virus consists of four components: Loader, Main, Infector and Backdoor. Each of the components is a stand-alone Win32 PE EXE file. The first component (Loader) is written to the beginning of the file and it gains control when an infected file is run. Other components are written to the end of the file.
When an infected file is run, the Loader extracts the Main and other components from infected files and drops them to the Windows directory with the CDPLAY.EXE name. The Main component is then registered in the WIN.INI file in the auto-run section:
[windows]
run=%WinDir%cdplay.exe
where %WinDir% is a Windows directory. The Loader component then spawns the host program and exits.
Upon the next Windows restart, the Main virus component (CDPLAY.EXE) is started. It extracts two more components from itself, drops them to the I.EXE and Z.EXE names to Windows directory, spawns these two files and exits.
As a result, there are three new files created in the Windows directory:
Main component - CDPLAY.EXE
Infector - I.EXE
Backdoor - Z.EXE
The Main component also contains code of all the other components, which are used while infecting other files.
The Backdoor component is Backdoor.BO Trojan, and its behavior is BO-like.
The Infector component looks for PE EXE files (Win32 applications) on the hard drive, and infects them.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Tabulator

Description Macro.Word.Tabulator

This macro virus contains five macros:
Documents NORMAL.DOT
AUTOOPEN AUTOOLD
M1 M1, DateiSpeichern
M2 M2, ExtrasMakro
M3 M3, DateiDokvorlagen
M4 M4, FormatTabulator

It infects the system on opening an infected document. It infects the files on saving them. On 15th of any month it renames the "C:IO.SYS" file to "C:I O.SYS".

Macro.Word.Taguchi

Description Macro.Word.Taguchi

The virus contains two macros: AutoClose, nigro. It infects the system macros area and document upon closing files (AutoClose). On February 19th, it insert into documents the text string:
* nEUrOtIc cpU vIrUz *

It also contains the comments:
si es el d a 19 de Febrero creo un bucle infinito
escribiendo en el archivo abierto nEUrOtIc cpU
***********************************************************
*
* Virus Taguchi
* (la probabilidad de aprobar es de un 0.05 %)
*
***********************************************************

Home