Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
Win32.Ruff.485 Viruses Information

Name: Win32.Ruff.485
Category: Viruses
Description: Details
Win32.Ruff.4859

It is a dangerous memory resident parasitic Windows virus. When an infected file is run, the virus scans Windows kernel, gets addresses of necessary Windows functions, installs its resident copy in the Windows memory and returns control to the host program. The virus resident copy then infects PE EXE files that are executed. To intercept files execution the virus hooks the CreateProcessA Windows function.
While infecting a file the virus creates a new section named "Ruff" at the end of the file, writes its code to there and modifies program's startup address and other necessary fields in file header.
To install itself memory resident the virus performs several actions. First of all it lists all active process and looks for EXPLORER copy active in the memory. It then looks for SHELL32.DLL module in EXPLORER process' memory, scans its Import tables and gets address of CreateProcessA imported function. The virus then writes a small routine (168 bytes) to the top of EXPLORER process memory (to the addresses that are occupied by DOS EXE stub). Later this routine will complete virus installation.
The virus then patches the address of CreateProcessA import in the SHELL32.DLL module memory so that this call will go directly to the virus 168-bytes routine. (Note: in both cases the virus writes its routine and patch to the process memory, not to the disk files).
The virus then creates the C:SWAP file and writes its "pure" code to there. When the CreateProcessA 168-bytes hooker gets control (on any program execution), the virus completes its installation: it allocates a block of Windows memory, reads its code from the C:SWAP file (it is deleted then), and resets CreateProcessA hook to there.
As a result the virus code is placed in a block of EXPLORER's memory, and it hooks the CreateProcessA function.
The virus pays attention to the AVP and DrWeb anti-virus programs. While installing itself into the memory the virus looks for AVP and DrWeb processes and kills them. When AVP or DrWeb programs are executed, the virus deletes all files in directories where these files are run.
The virus has bugs and fails to infect the Win95 memory, and replicates only in Win98 and WinNT. The virus contains the text strings:
We are the Ruffest !
(c) Charly



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
HXH.168
Int1
Macro.Word.Archfien
Dillinger.54
Oppressor.55
Bolek.132
Jel.84
Ostap.32
Macro.Word.Vampir
Frodo.


 

© 2006-2008 spyware32.com - Privacy Policy