Virus.Win32.Zori.a

0 0

This virus infects executable files, is written in Delphi, and is approximately 43872 bytes in size.

When the virus is launched, it copies itself to the %SYSTEM%\SVCHOSTV\ directory as SVCHOST.EXE. It then adds a link to this file in the system registry. This ensures the virus will be launched each time the infected system is rebooted.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SVHOST" = "C:\WINDOWS\System32\SVCHOSTV\SVCHOST.EXE"

It also copies itself to %SYSTEM%\SVCHOSTV\SVCHOSTV\Vshell??\1.exe. ?? will be replaced by a hexadecimal number.

Once installed, the virus will start searching the hard disks for executable (*.EXE) files. It infects files by writing its code to the beginning of these files. Programs infected by the virus will be 438272 bytes larger than the original file size.

The virus creates a text file named NSASABDox.drv in the system directory which shows the date the virus was first launched.

From time to time, the virus may hide the Start button, the control panel or other windows, cause the CD-ROM drive to open independently etc.

The virus creates and launches a command file named diablo.bat with the following contents:

shutdown -s -t 30 -c "Hi, I am Death. I Want to send the enormous hello:
Oxy, Alke, Punk-y Dashe and others Goblinam. P.S.(  Bye "Hacker", you possible
can not  restart computer)" -f  

It causes a Russian text to be displayed on the screen. The first line of the text contains the English words

"Hello, " [...]". This is Death."

9 days after the virus is first launched, it causes a window with another Russian text to be displayed. The first line of the text is in English:

"DeathDangerCompany"

It will then start to delete files from all disks.