Virus Database

Cholera Family

Description Cholera Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of .COM- and .EXE-files that are executed. They infect some files incorrectly, these files halt the system on execution. Depending on the system time these viruses also hook INT 08h and delay on each timer tick. They contain the internal text strings:
"Cholera.a": Cholera v1.0 by dr Hellraiser 94-02-03
"Cholera.b": Cholera v2.0 by dr Fleischman 93-12-29

Check other viruses! Be aware! Use Antiviral Software

Backdoor.FTP.Casus.15

Description Backdoor.FTP.Casus.15

The program poses as an FTP-server and informs its host, via ICQ or e-mail, of the presence of networks.
Upon execution of the virus code, "Casus" registers itself in the system registry so that it will automatically run when the infected system is rebooted. Via e-mail and ICQ, Casus sends notifications to its host (hacker receiving the network notifications) and begins to listen, clandestinely, over the TCP/IP protocol on port 21. Having received the notices, informing him of located networks, the virus host with the help of any FTP-client gains access to file systems on victim computers.

Backdoor.G_Door.20

Description Backdoor.G_Door.20

This backdoor uses standard client-server technology and includes two parts - client and server, both are Windows executable files (PE EXE). The backdoor server is installed on victim computers, and the client controls them from a remote station.
Installation
When the server is run on a victim computer, it installs itself to the system - moves itself to the Windows system directory with the KERNEL32.EXE name and changes the system registry keys:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] @="C:\WIN98\SYSTEM\KERNEL32.EXE"
[HKEY_CLASSES_ROOT xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
[HKEY_LOCAL_MACHINESoftwareCLASSES xtfileshellopencommand] @="C:\WIN98\SYSTEM\KERNEL32.EXE %1"
The name of the Windows system directory (here it is "C:\WIN98SYSTEM") depends on system configuration.
As a result of such a registration in the system registry, the server starts automatically at boot time (first two keys), as well as each time a TXT file is being opened. In this way, the server starts on Windows start-up, and restarts if its process is unloaded from the system memory by a user.
Moreover, the server permanently (about each 10 seconds) controls its registry keys. In case these keys are changed (the reference to the server file is deleted), the server restores them again to the "infected" state.
As a result, the backdoor server-removal procedure is not a simple problem: it is impossible to remove or rename the KERNEL32.EXE backdoor server file (it is active and locked by the system); the registry keys are controlled by the server (this makes it impossible to reboot the system with a "clear" registry).
Under Win9x, to get rid of this backdoor, it is possible to boot a computer in DOS mode and remove the KERNEL32.EXE file from the Windows system directory, and after booting Windows, it is necessary to remove references to this file in the system registry. Under WinNT, it is necessary to kill the backdoor's process in Windows memory, then delete the server EXE file and clear the system registry keys.
Server
To connect to the client component, the backdoor server uses the port 7626 and periodically listens to it. When the server is connected with a client, it executes client commands and takes control over the victim computer: manipulates a victim's file system - copies files, moves, deletes, creates, etc.
Client
The client is able to scan an adjusted subnet for active servers. On connection to a server, the client gains control over a victim computer's resources. The client GUI is adapted to Chinese.

Home