|
|
Win32.Eta Viruses Information
| Name: |
Win32.Eta |
| Category: |
Viruses |
| Description:
|
Details
Win32.Etap
Etap is a very complex parasitic {high-polymorphic:Poly} Win32 virus that uses the entry-point obscuring technique. The virus infects Windows executable files (Win32 PE EXE). When run the virus searches for these files and infects them.
Replication
The virus searches for Win32 PE executable files in the current directory and in the directories located in the three levels above the current directory. It also searches for executable files on available network drives and on removable media. If a directory's name begins with "W" it infects the exe files contained within. The virus doesn't infect files if their names begin with the following:
F-
PA
SC
DR
NO
'Etap' also spares files with names containing the letter 'V' and depending on random counter values.
While infecting files the virus rebuilds and encrypts its body and writes it to one of the host file's sections. Then, it searches for and replaces one of the 'alls' to the "ExitProcess" function in the host's code section with the 'call' to the viral code.
Payload
Depending on the system date and whether the infected host file imports the Windows library User32.dll file the virus may display messages, such as:
On May, 14th:
"Free Palestine!"
or
On March, June, September, December, 17h:
"Metaphor V1 by the Mental Driller/29a", or
"Metaphor 1b by the Mental Driller/29a"
The latter message's letters may be randomly selected. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
V-Silence Famil
Predator.113
Backdoor.Agobot.
Paraguay.275
GeldWash.181
Worm.Linux.Might
Mr_D famil
Dot.94
Sina.120
Macro.Word.Re
|
|
