Virus.Win32.Oroch.3982
| Alert Level : | High |
| Discovered: | Feb 11 2002 |
| Tag: | Executable File and Boot Viruses |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This is a non-memory resident encrypted Win32 virus. It replicates under Windows32 systems and infects PE EXE files (Windows executable) with EXE and SCR filename extensions. The virus also infects MIRC.INI files to spread its copy to mIRC channels, as well as infects HTML pages with a Trojan program.
The virus is quite stable and replicates with no problems except WinNT - under this system, the virus infects one of a system of EXE files that are protected by checksum. As a result, WinNT, upon booting, checks this file, reports about possible corruption and halts.
To infect PE EXE files, the virus scans Windows, Windows system and current directories, looks for .EXE and .SCR files in there, and infects them. Depending on the current time (if the current minutes are exactly 30), the virus also scans subdirectory trees on the drives from C: till H: and infects files in there.
Under WinNT and Win2000, the virus also infects MIRC.INI files and HTML pages that are found during scanning the drives. The virus overwrites HTML files with a script program that disables Internet security settings. The MIRC.INI (mIRC script file) is overwritten with a set of commands that sends the virus copy to everybody who enters the infected IRC channel.
The virus uses anti-debugging tricks in its decryption routine. It also disables several anti-virus programs:
AVP Monitor
Amon Antivirus Monitor
Norton AntiVirus
as well as deletes anti-virus data files:
ANTI-VIR.DaT, CHKLIST.DAT, CHKLIST.TAV, CHKLIST.MS, NOD32.000, AVP.CRC, IVB.NTZ, SMARTCHK.MS, SMARTCHK.CPS, KERNEL.AVC, SCAN.DAT, DEC2.DLL, AP.VIR, AP.SIG, TBSCAN.SiG
On July 3rd, the virus displays the message:
OROCHI ViRUS AS LONG THE HUMANS RULE THE WORLD... THE OROCHI AWAKENING IS NOT SO FAR AWAY... IS HUMANKIND TOO LATE TO AVOID DESTRUCTION?... WHEN THE AMBITIONS OF MANY, DRIVE THE WORLD TO THE DESTRUCTION... TO STOP THIS, THE OROCHI EXIST... THE OROCHI... GOD'S MESSENGER? PERHAPS... MAY BE HUMANKIND IS AT FAULT... HUMANKIND: AMBITIOUS, CRUEL AND RESILIENT... BUT IT CANNOT BE FORGOTTEN... THE REAL ENEMY IS NOT OROCHI HUMANKIND'S REAL ENEMY? WE'VE SEEN THE ENEMY... AND IT IS US...
The virus also has an extremely dangerous payload that is randomly activated under Win9x. This routine kills the CMOS memory and then destroys the Flash BIOS by using the same routine that was found in the Win95_CIH virus (aka Chernobyl).
The virus contains the "copyright" text strings:
ThE TimE IS HerE Th0sE Wh0 Can'T HacK ME ArE HeadeD Fr0M A L0nG SleeP HI HackeR, HenKy LiveS HerE OROCHI-5420 C0dE BY HenKy/[MATRiX] IN SpaiN Y2K
0
Removal Virus.Win32.Oroch.3982 instructions:
0
Need help? Live computer support via remote at SupportSpace |
