| Description:
|
Details
Win32.Tinit.a
It is not a dangerous per-process memory resident parasitic Win32 virus. It runs as a background process of infected application, scans local and network drives, looks for Win32 executable files (PE EXE files) with .EXE and .SCR extensions and infects them.
The virus contains two components: about 1Kb "loader" written in assembler and "main" program written in Delphi. The "main" component is compressed by UPX PE EXE files compressing utility and has the size about 170K. Being decompressed the virus code has about 400K of size.
While infecting a file the virus writes to the end of file its "loader" and modifies file header so that loader gets control when infected file is run (as usual Win32 viruses do). The virus then appends to the file its "main" component (as overlay data).
When infected file is run the virus loader gets access to system functions (Windows API), reads its main component, writes it to Windows temp directory with random name and .TMP extension, and activates it. So the main virus code gets control.
The virus also has "backdoor" ability. It connects to Internet, waits for "host" commands and performs two actions: reports computer information to "host", and executes a file requested by "host". |
