| Description:
|
Details
Win32.Bora
This is a non-memory resident Win32 virus written in Borland C++. It replicates under Windows32 systems and infects PE EXE files (Windows executable). The virus also infects mIRC client to spread its copy to IRC channels.
When an infected file is started, the virus takes control, looks for EXE files and infects them. While infecting, the virus moves the file body down, and writes its code to the beginning of the file. The temporary TEMPLE.$_$ file is used while infection.
The virus infects up to three files in the current directory upon each start, then looks for WINDOWSRUNDLL32.EXE and WINNTRUNDLL32.EXE files on all available drives, and infects them too.
The virus also looks for the presence of mIRC subdirectories:
C:MIRC
C:MIRC32
C:PROGRA~1MIRC
C:PROGRA~1MIRC32
In case any of them exist, the virus creates an infected C:WINDOWSWINTEST.EXE file and overwrites the SCRIPT.INI file in the mIRC directory with a set of commands that send the virus copy (the C:WINDOWSWINTEST.EXE file) to everybody who sends a file to the IRC channel, or is sent by a file.
On April 15th, the virus displays the following message:
Virus -=Temple=- Build 002
Copyright (c) by Wit AKA CyberViper 1999. |
