Virus Database

Win32.Voodoo.1537

Description Win32.Voodoo.1537

It is a harmless memory resident encrypted parasitic Win32-virus. It stays in the Windows memory and depending on the system events searches for files in the "C:Program Files" and other directories and infects them. While infecting the virus increases the size of last file section, encrypts and writes itself to there and modifies the program's entry address in the file header. The virus does not manifest itself in any way, it contains the author's "copyright" text:
Star0 - Magic Voodoo

When an infected file is executed, the virus decrypts itself, scans the KERNEL32.DLL code and gets the addresses of necessary Windows API functions (GetSystemTime, CreateThread, FindFirstFileA, FindNextFileA, and other). The virus then allocates a block of system memory, copies itself to there and hooks ExitProcess function. To hook it the virus also scans KERNEL32.DLL code and patches it with virus hooker address.
The virus also uses multitasking features: the virus ExitProcess handler gets control directly from Windows kernel, but the infection routine does work as a thread. When an infection routine takes control, it delays for 5 seconds and then searches for PE EXE files in the directory tree and infects them.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Rbot.gen

Description Backdoor.Rbot.gen

Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:
monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)
scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords
conduct DoS attacks
launch SOCKS and HTTP servers on infected machines
send the user of the program detailed information about the victim machine, including passwords to a range of computer games

Backdoor.Ruledor.c

Description Backdoor.Ruledor.c

This program is part of the backdoor family of malicious programs intended for remote administration.
The victim computer can be remotely controlled and caused to execute the commands described in the file http://sds.cl**ch.com/ie/control.dat. The program downloads this file when starting.
Backdoor.Ruledor.c can also download and install other programs unnoticed.
Some incidents have been detected where a wide range of AdWare and Trojans have been downloaded and installed.
Installation
The program creates the directory ClearSearch in the Program Files folder, copies itself to this directory under the name loader.exe and registers as an autorun key in the system registry:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
Other
When the system is started, the program deletes all Browser Helper Objects (BHO) not installed by the program.

Home