Subscribe0 0
Susan is memory resident Win32 companion virus that is not particularly dangerous. The virus itself is a Windows PE EXE file about 66KB in length and written in Delphi.
The virus searches for .EXE files in the Windows "Program Files" directory on the C: drive and infects them. While infecting the virus copies a file under the "%filename%2.exe" name (adds"2" char to file name) and copies itself with the original name of victim file, for example:
filename.exe -> filename2.ex (the number "2" is added to the file name)
virus -> filename.exe (virus copy under the original victim file name)
When the infected file is run, it gets its file name, looks for the host file (with the number "2" at the end of the file name) and then executes it. Thus the host file gains control.
The virus then copies itself in the Windows directory under the name "syst.exe" and registers this copy in the registry auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run syst = %virus name%
The virus also creates two more registry keys:
HKCU\SOFTWARE\c1
HKCU\SOFTWARE\c2
and writes two counters to the auto-run key. Depending on these counters values the virus activates its infection routine.
The virus also creates one more registry key:
HKCU\Software\systdisable
and writes to this location the total number of files that were infected on the particular machine. If there is the number "1" there, the virus just exits without taking any action.
The virus does not manifest itself in any way.
The "Susan" virus contains the following text strings:
vSusanne01b
2001,MadeinSlovakia
Hot Articles