| Description:
|
Details
Win32.Niko.5178
It is not a dangerous per-process memory resident parasitic encrypted Win32 virus. When an infected program runs, the virus decrypts its code and stays in the memory as a part of infected application. To do that the virus creates two threads: Infection and Message thread. Infection thread sleeps for some time, then scans current directory and directory threes on all drives, searches for PE EXE files and infects them. While infecting the virus writes itself to the end of last file section.
The Message thread gets the system date and on October 9th displays the MessageBox:
YOUPIIIIIIIIII
It's my birthday !!!
The Infection and Message threads can be disabled by environment strings: "NICO_VIR_OFF" string disables Infection, "NICO_VIR_CHILD_OFF" - Message thread. |
