Win32.Zomby
Description Win32.Zomby
This is a memory resident parasitic Win32 virus with backdoor abilities. The virus infects PE EXE files only and writes itself to the beginning of files while infecting. To return control back to the host file, the virus disinfects it to temporary file and runs it.
When an infected program is started, the virus extracts its pure code from the infected file and copies it to the Windows system directory with the KERNL32.EXE name, and registers it in the system registry in the auto-run section:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun "KRNL"="Kernl32.exe"
The virus then runs two processes (threads) and stays in Windows memory as a hidden application (service). The first virus-process extracts and executes the host file, and the second one "sleeps" for 30 minutes, then scans local drives starting from C:, and looks for PE EXE files in the directory tree and infects them.
The backdoor function is the main virus routine. It opens an Internet connection, listens for specific commands and then executes one of the requested functions: sends system information and passwords, receives and runs a file, gets/receives files, creates/removes subdirectories, etc.
Before running its backdoor abilities, the virus also informs its host about its presence on the computer. To do this, the virus connects to one of three Web pages:
Page name User name Password
www.chat.ru zo01 zo01zz
ftp.geocities.com zzo01 ivoryox17
upload.digiweb.com zo01 zo01zz
then gets system information, encrypts it and sends to these pages as GIF files. The system information includes: RAS (Remote Access Service) data, computer name and Internet address, user name, and other system info such as a list of logical drives, free disk space, etc.
The virus contains the following text strings:
ZOMBY1 v.1.08 05-24-99
This program is only for educational purposes.
The author takes no responsibility for anything
anyone does with this program.
Check other viruses! Be aware! Use Antiviral Software
Fricker.395
Description Fricker.395
It is not a dangerous nonmemory resident parasitic virus. It searches for the C:COMMAND.COM file, then for .COM files of the current directory, then writes itself to the end of the file. Depending on the system time the virus decrypts and displays the message:
FRICKER-1 is glad to meet YOU!
Frida.538
Description Frida.538
It is a not dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the beginning of .COM-files that are executed or opened. On August, 1st it displays the message:
FRIDA
It contains the internal text strings:
LoRD Zer0
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Gratis Dating
Gratis Dejtingsajter
Salg
Horn Operating
|