| Description:
|
Details
Win32.HLLP.BadBy
This is a very dangerous, memory resident parasitic Win32 virus. The virus itself is a Win32 application written in Delphi and is about 300K in length. The virus infects .EXE files according to the file name extension, not internal file formats, and as a result, infects DOS EXE files as well as NE and PE (Win16 and Win32) applications.
When an infected file is executed, the virus looks for a NOTEPAD.EXE file in the Windows directory and infects it. The virus then stays in the the Windows memory as a hidden application, runs a low priority thread that scans current drive subdirectories, searches for EXE files in there, and infects them.
While infecting, the virus moves a victim's file body down by its length (about 300K), and writes itself to the top of the file. To release control to the host program, the virus creates a temporary EXE file in the same directory where the infected program runs, disinfects the file into this temporary file, executes and then deletes it.
On September 9th and October 28th, the virus runs its payload routine that erases files on the current drive.
The virus also has a side effect: it reserves about 20M of Windows memory for its data buffers and, as a result, may slow down PCs that do not have enough RAM memory on the board. |
