Win32.HLLW.Showgame.a
Description Win32.HLLW.Showgame.a
This is a very dangerous memory resident Win32 virus worm. It doesn't infect files; but spreads "as-is" - as a 70K Win32 application that can be found in three files:
in the Windows system directory with WINDOWS.EXE name
in the Windows directory with WINXYZ.EXE name
on an A: drive with SHOWGAME.EXE name
When the virus is run on an infected floppy disk, it copies itself to the Windows system directory with the WINDOWS.EXE name and to the Windows directory with the WINXYZ.EXE name. The virus then registers itself in the auto-run key in system registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
wwindll = %SystemDir%winxyz.exe /run"
The virus then stays in the Windows memory as a hidden service process, detects when an A: floppy drive is in use, and copies itself there with the SHOWGAME.EXE name. This file then activates the ReadOnly, System and Hidden attributes.
On the 26th of each month, the virus destroys files in the root directory on the C: drive. To destroy files, the virus "creates" them, so a file is not deleted; rather its size is set to zero, and file data is lost.
While infecting the system, the virus also modifies the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerCabinetState
FullPath = 1
In the Russian Windows version on Saturdays, the virus displays a white ellipse covering the desktop:
Check other viruses! Be aware! Use Antiviral Software
Deathead.1585
Description Deathead.1585
It is not a dangerous memory resident parasitic virus. Being executed the virus searches for COM files and writes itself to the end of the file. The virus displays an image of skull and messages:
DEATHS HEAD VIRUS
Abandon Hope All Ye
Who Contract Me
Deathrider.729
Description Deathrider.729
This is a dangerous, non-memory resident overwriting virus. It searches for .COM- and .EXE-files of the current directory (by using masks *.COM *.EXE) and overwrites them. The length of the infected files grows by 39 bytes. On the 8th of every month, it types the following message:
------* DeathRider Virus version 1.8 *------
(c) 1993 DeathRider - Pretoria - South Africa
and then formats HD sectors and erases CMOS memory. On other days, it types one of the following messages:
Packed File Corrupt
Sharing violation
Required system component not installed
and returns to DOS. It also contains the internal text: "ViRuZÑÑZ ".
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Monicas Topp Till TÅ
Interland Kommanditbolag
Omars BilbÄrgning
Sgm Teknik Ab
Eko Bio Service Karlskrona
|