Virus Database

Airwalker.385

Description Airwalker.385

This is a harmless nonmemory resident encrypted parasitic virus. It searches for COM files, then writes itself to the end of the file. The virus contains the text string:
[airwalker] (c) 1997 gothmog
Depending on the system time the virus displays the message:
Greetings to the world from the SLAM virus team

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Throd.a

Description Backdoor.Throd.a

Throd is a Trojan that allows a 'master' to use the zombie machine as a proxy server. Throd is written in Delphi for Windows, is about 23 KB in size (about 80 KB unpacked)and comes packed by UPX.
Installation
The Trojan copies itself in the Windows system folder under a randomly combined multi-partite name:
ms
svc
win

16
32
64

mes
prn
reg
"ms16prn.exe", for example.
In order to auto-launch, the Trojan creates a key in the system registry:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
with one of the following names chosen at random:
MS Driver Management
Synchronization Messager
System Directory Service
System Service Control
Windows Messaging System
Throd then attempts to connect to several remote servers and onpass ID information, including IP address and so forth, to the virus coder.
Throd accepts commands from the remote 'master' collets email addresses from the MS Outlook address book in to the mseml.dll file and uses an http commands to send them to the same remote sites.
Throd can install and launch random files on command.
Throd also works as a proxy server and is capable of accepting and sending any type of data.

Backdoor.Tripod

Description Backdoor.Tripod

This backdoor program obtains a file from the Internet and spawns it on a victim's machine in hidden mode. Upon being run, the backdoor copies itself to Wthe indows system directory with the IESTUB32.EXE name and registers itself in system registry in the auto-run section:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
It then, depending on the current date, loads the file WELCOME.GIF from http://members.tripod.com Web site, stores it in the Windows temporary directory with the UNINST32.EXE name and spawns it. The UNINST32.EXE program's behavior is unknown and depends only on a backdoor author's needs.

Home