Virus Database

Win32.Porex.a

Description Win32.Porex.a

"Porex" is a memory resident parasitic and companion Win32 virus. The virus itself is Windows PE EXE file about 37KB in length and written in Microsoft Visual C++.
The virus affects files of two types: Win32 PE executable files, and files with the .DOC filename extension. The virus affects files only if file size is above 10KB and less than 21MB. The virus searches for victim files on all available drives and in all directories.
While infecting EXE files the virus writes itself to the beginning of the file.
While infecting %filename%.DOC files the virus creates a "companion" %filename%.EXE file and writes itself to this new EXE file.
When the virus is run from infected EXE files, it extracts the EXE host file to a temporary .RNT file and spawns it. As a result the host file gets control. The virus then installs itself to the system and runs its infection routine.
When the virus is run from the companion EXE file it just installs itself to the system and runs its infection routine.
In both cases the virus registers itself as a system service process, as a result it is not visible in the tasks list.
While installing, the worm copies itself to the Windows directory under the name poserv.exe and registers this file in the system registry auto-run key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
PO system service = %WindowsDir%poserv.exe

The virus has a trojan routine that sends to its master information from infected computers, including: Windows version, computer name, user name, processor type, ICQ information
The virus also looks for the following strings in application windows, and grabs text strings from there, such as: password, mail, ftp, and telnet.
While grabbing this information the virus creates a logger.bin file in the Windows directory.
The virus also searches for and tries to terminate the following processes:

aplica32.exe zonealarm.exe _avpm.exe
cfiadmin.exe vsmon.exe avpm.exe
cfiaudit.exe vshwin32.exe tds2-98.exe
cfinet32.exe vsecomr.exe ip_tools.exe
cfinet.exe webscanx.exe sewf.exe
iamserv.exe avconsol.exe outpost.exe
iamapp.exe vsstat.exe blackice.exe
pcfwallicon.exe navapw32.exe jammer.exe
frw.exe navw32.exe kerio.*
safeweb.exe lockdown2000.exe firewall.*

Check other viruses! Be aware! Use Antiviral Software

Crazy.1402

Description Crazy.1402

These are harmless memory-resident stealth viruses that infect COM-files as a program is terminated (the Exit and Keep DOS functions), files are being searched (FindFirst and FindNext) or a file is closed. The viruses decreases the memory area allocated for DOS (the word at the address 0000:0413). They hook 12 DOS functions and use stealth mechanism: recover infected files as they are accessed. Upon installation the viruses create in RAM two own copies: operational and backup ones. On every call to the 1Ch interrupt (Timer Tick) "Crazy" viruses write their backup copies at the address of its operational copies and in such a way gets rid of debuggers. The viruses hook INT 1Ch, 21h and contain the text:
"Crazy.1402" - Crazy imp. v1.5
"Crazy.1445" - Crazy imp. v2.0

CrazyBoot

Description CrazyBoot

It's a dangerous memory resident stealth virus. It hooks INT 13h and hits MBR of hard drive and boot sectors of floppies. On infection of floppies it saves virus body on wrong address and corrupts data files. Depending on its internal counters it displays the message:
Don't PLAY with the PC !
Otherwise you will get in 'DEEP,DEEP' trouble !all
Crazy Boot Ver. 1.0

Home