Subscribe0 0
This is a very dangerous memory resident Win32 virus worm. It doesn't infect files; but spreads "as-is" - as a 70K Win32 application that can be found in three files:
- in the Windows system directory with WINDOWS.EXE name
- in the Windows directory with WINXYZ.EXE name
- on an A: drive with SHOWGAME.EXE name
When the virus is run on an infected floppy disk, it copies itself to the Windows system directory with the WINDOWS.EXE name and to the Windows directory with the WINXYZ.EXE name. The virus then registers itself in the auto-run key in system registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
wwindll = %SystemDir%\winxyz.exe /run"
The virus then stays in the Windows memory as a hidden service process, detects when an A: floppy drive is in use, and copies itself there with the SHOWGAME.EXE name. This file then activates the ReadOnly, System and Hidden attributes.
On the 26th of each month, the virus destroys files in the root directory on the C: drive. To destroy files, the virus "creates" them, so a file is not deleted; rather its size is set to zero, and file data is lost.
While infecting the system, the virus also modifies the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
FullPath = 1
In the Russian Windows version on Saturdays, the virus displays a white ellipse covering the desktop:
Hot Articles