| Description:
|
Details
WinNT.Tenta
It is not a dangerous nonmemory resident parasitic WinNT virus. It infects Windows32 executable files (PE - Portable Executable). While infecting a file the virus writes its code to the end of the first file section, moves other file section down by necessary offset, and modifies file header to get control when infected files are executed.
When the virus takes control, it scans WinNT KERNEL32 data to get addresses of necessary functions (file searching, reading, writing, e.t.c.). The virus then infects the C:WINDOWSWINHLP32.EXE file, if it exists, then the C:WINHLP32.EXE file, then the WINHLP32.EXE in Windows directory, then the MSVCRT20.DLL file in the Windows System directory, then searches for all files in the current directory and infects them. Next to infection the virus returns control to the host program. While infecting the virus uses the temporary C:WIN32SWP.SYS file.
Depending on its counter (once per 8 runs) the virus creates the C:TENTACLE.TXT file and writes the text to there:
I'm the Tentacle Virus!
then the virus modifies the system registry so that on opening any .GIF file the system will execute the Write utility that will open and show the C:TENTACLE.TXT file. |
