|
|
Win32.Hortig Viruses Information
| Name: |
Win32.Hortig |
| Category: |
Viruses |
| Description:
|
Details
Win32.Hortiga
This is a non-memory resident parasitic Win32 virus. It searches for PE EXE files (Windows executable), and then writes itself to the end of the file. To reserve a place for its code, the virus creates a new section with the ".|Zan" name at the end of the file.
The virus has "anonymous IP" ability. This means that a hacker may use an infected machine as a "proxy server" sending packets with an infected machine's IP address:
IP1 IP2 IP3
Hacker's machine -----> Infected machine -----> Target machine
A hacker connects to an infected machine via its IP address (IP1) and forces an infected machine to forward packets to a Target machine, and then an infected machine's IP address (IP2) is used. So, a hacker hides its IP address.
The virus installs its "anonymous" component as a stand-alone program with the SERVER.EXE name. This program is created in the Windows system directory and registered in the auto-start registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
h0rtiga Server = "Windirserver.exe"
where "Windir" is the Windows system folder.
The virus contains the text string:
(c) 2000. Win9x.h0rtiga v1.0 Server activated - http://mareasvivas.cjb.net
Coded by |Zan - izan@galaxycorp.com / izan@deepzone.org
Who are you???
This string is used as an ID-text to connect a hacker's machine with the server on infected machine. |
Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
SE.185
Peasant.124
Doomsday.71
Win95.Murkry.39
Naive.164
Eka.409
Natas.474
Gnat.75
Abba.9849.
CCC.38
|
|
