Virus.Win32.HLLC.Nan

tag:Executable File and Boot Viruses

0 0

It is a dangerous nonmemory resident companion Windows virus. It was named because of the "INFNAN" text string found in its code. The virus itself is a Windows executable file about 90Kb in length written in Delphi. When an infected file is executed the virus spread itself into the system. It looks for several files, copies them with other names (see below), and overwrites original files with virus copy. The list of affected files looks like follows:

Infected file   Copied to      Directory
-------------   ----------     ---------
NOTEPAD.EXE     57381054.EXE   in the Windows directory
CDPLAYER.EXE    45123851.EXE   in the Windows directory
ACRORD32.EXE    57293711.EXE   Acrobat3\Reader
EUDORA.EXE      83747213.EXE   Eudora95
OUTLOOK.EXE     68493105.EXE   Program Files\Microsoft Office\OfficeIEXPLORE.EXE
57385694.EXE   Program Files\Internet ExplorerNETSCAPE.EXE    27431087.EXE 
Program Files\Netscape\ProgramWINWORD.EXE     57120438.EXE   Program Files\Microsoft
Office\OfficeEXCEL.EXE       58192823.EXE   Program Files\Microsoft Office\OfficeWINZIP32.EXE
01583754.EXE   Program Files\WinZipICQ.EXE         95821740.EXE

In last case the virus reads directory name from the system registry from the key: \Software\Mirabilis\ICQ\DefaultPrefs IcqPath.

The virus also creates its copies on the disks (including floppy disk) with names: WIN32APP.EXE, WINLOGIN.EXE, ZIPTOOLS.EXE. The copy of WIN32APP.EXE on the C: drive is then registered in the system registry as "auto-run" utility:

\Software\Microsoft\Windows\CurrentVersion\Run c:\Win32App.exe

The virus pays attention to anti-virus programs and terminates applications that have names:

Norton AntiVirus Auto-Protect Trial Version
Norton AntiVirus Auto-Protect
AVP Monitor

Depending on the system time the virus calls its payload routines that reset computer name and disk labels, look for *.URL files and replace them with new references (one of three possible references):

[InternetShortcut]
URL=http://www.hustler.com
URL=http://www.playboy.com
URL=http://www.penthouse.com

Depending on the system time the virus also erases (overwrites with zero bytes and then deletes) the files

\hosts
\lmhosts
\system32\drivers\etc\hosts
\system32\drivers\etc\lmhosts

in the Windows directory. The virus also randomly calls routines that exit Windows, or create 700.000.000 directories with random names, or create the C:\DAPARTY.EXE file, drop to it a copy of file infected with "Win95.CIH" file and then execute it, or display the message box:

Greets to VirusBuster: darknode@oninet.es
Congratulations, you have Win32.Prurient.Torturous.Pain

previous:Virus.Win32.HIV
previous:Virus.Win32.HLLC.Sulpex.a

Virus Source from:

New articles

Virus.Win32.Chop.3808 It is not a dangerous nonmemory resident parasitic polymorphic Win32 virus. It searches for PE EXE files in the current directory, then writes itself to the en...Virus.Win32.Crypto This text was written with the help of Adrian Marinescu, GeCAD Software.This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K i...Virus.Win32.Delf.k This file virus replaces .exe files with its own body.The virus itself is a Windows PE EXE file 18944 bytes in size, written in Delphi. Payload...Virus.Win32.Devir This is a per-process memory resident parasitic poly-morphic Win32-virus. The virus infects PE EXE files that have .EXE filename extensions. When run, the viru...Virus.Win32.Ditex.aDitex is a memory resident parasitic Win32 virus. It is written in Microsoft Visual C and is about 33KB in size. The virus infects PE EXE files that have .EX...

Hot Articles

Virus.Win32.HLLC.Nan

Computer Virus Clounds