| Description:
|
Details
Win32.Zomby
This is a memory resident parasitic Win32 virus with backdoor abilities. The virus infects PE EXE files only and writes itself to the beginning of files while infecting. To return control back to the host file, the virus disinfects it to temporary file and runs it.
When an infected program is started, the virus extracts its pure code from the infected file and copies it to the Windows system directory with the KERNL32.EXE name, and registers it in the system registry in the auto-run section:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun "KRNL"="Kernl32.exe"
The virus then runs two processes (threads) and stays in Windows memory as a hidden application (service). The first virus-process extracts and executes the host file, and the second one "sleeps" for 30 minutes, then scans local drives starting from C:, and looks for PE EXE files in the directory tree and infects them.
The backdoor function is the main virus routine. It opens an Internet connection, listens for specific commands and then executes one of the requested functions: sends system information and passwords, receives and runs a file, gets/receives files, creates/removes subdirectories, etc.
Before running its backdoor abilities, the virus also informs its host about its presence on the computer. To do this, the virus connects to one of three Web pages:
Page name User name Password
www.chat.ru zo01 zo01zz
ftp.geocities.com zzo01 ivoryox17
upload.digiweb.com zo01 zo01zz
then gets system information, encrypts it and sends to these pages as GIF files. The system information includes: RAS (Remote Access Service) data, computer name and Internet address, user name, and other system info such as a list of logical drives, free disk space, etc.
The virus contains the following text strings:
ZOMBY1 v.1.08 05-24-99
This program is only for educational purposes.
The author takes no responsibility for anything
anyone does with this program. |
