| Description:
|
Details
Win32.HLLP.Clay
This is a non-memory resident parasitic Win32 virus about 300K in length, written in Borland C. The virus looks for Win32 EXE files on the hard drive and infects them. While infecting, the virus writes its code to the end of the file as well as to the beginning of the file (see below). The virus does not manifest itself in any way.
The virus consists of four components: Loader, Main, Infector and Backdoor. Each of the components is a stand-alone Win32 PE EXE file. The first component (Loader) is written to the beginning of the file and it gains control when an infected file is run. Other components are written to the end of the file.
When an infected file is run, the Loader extracts the Main and other components from infected files and drops them to the Windows directory with the CDPLAY.EXE name. The Main component is then registered in the WIN.INI file in the auto-run section:
[windows]
run=%WinDir%cdplay.exe
where %WinDir% is a Windows directory. The Loader component then spawns the host program and exits.
Upon the next Windows restart, the Main virus component (CDPLAY.EXE) is started. It extracts two more components from itself, drops them to the I.EXE and Z.EXE names to Windows directory, spawns these two files and exits.
As a result, there are three new files created in the Windows directory:
Main component - CDPLAY.EXE
Infector - I.EXE
Backdoor - Z.EXE
The Main component also contains code of all the other components, which are used while infecting other files.
The Backdoor component is Backdoor.BO Trojan, and its behavior is BO-like.
The Infector component looks for PE EXE files (Win32 applications) on the hard drive, and infects them. |
