Details
Win32.Evol.a

This is a family of parasitic polymorphic per-process memory resident Win32 viruses. When an infected file is executed, the viruses run an infection routine as a separate thread that searches and infects files in the background up to the moment the host program exits.
The viruses infect Win32 PE executable files with .EXE and .SCR extensions. First of all, they infect EXE and SCR files in the Windows directory and subdirectories. Then they scan all fixed drives on a local machine and infect files in there. Then they scan and infect remote drives, then they enumerate network resources (shared network drives) and infect them also. As a result, the viruses are able to infect most Win32 executable files on a local machine as well as spread themselves through the local network.
Before infection, the viruses check a file name and do not infect the following anti-virus programs: ALERT, AMON, AVP, F-PROT, NAV, SCAN.
While infecting, the virus gains a file entry routine address, moves a block of code from there to the end of the file and writes its code to the file’s entry routine address. To release control to the host file, the virus reverses infection: reads host block of code from file end and puts it to the original file entry address.
The viruses use quite a complex polymorphic engine that in some cases rebuilds the virus code. In different infected files, there are different assembler instructions or other sets of instructions used to do the same operations. As a result, the virus is not encrypted, but it doesn’t have enough long constant parts of code and the length of virus code is changed.

Details
Win32.Eva

This is a direct action (non-memory resident) parasitic Win32 infector. It searches for PE EXE files in the Windows, Windows system and current directories, then writes itself to the end of the file.
While infecting, the virus does not modify the PE header at all. The infection process is based only on a DOS Stub header: the virus writes new file PE header offset there (virus PE header). As a result, the infected file has three parts: the first part is the original DOS stub; the second part is host PE data (not modified); and the third part is virus code and data.
The virus has PE file structure: it contains a PE header, section headers, import table, code and data sections. The modified DOS stub in infected files points to the virus’ PE header instead of the original ones. As a result, Windows32, while executing infected files, reads and runs the virus’ code instead of the host one’s.
To return to a host program, the virus creates a copy of the infected file, disinfects it (just restores the file PE header offset) and spawns.
On February 2nd, the virus displays the following message window:
Win32.Eva by Benny, (c) 1999
Hello stupid user, i’m so sorry, but i have to interrupt your work,
’cause I hate this shitty program. Click OK to continue.

Greets to:
Super/29A
Darkman/29A
Jacky Qwerty/29A
Billy Belcebu/DDT
and many other 29Aersall

Details
Win32.Etap
Etap is a very complex parasitic {high-polymorphic:Poly} Win32 virus that uses the entry-point obscuring technique. The virus infects Windows executable files (Win32 PE EXE). When run the virus searches for these files and infects them.
Replication
The virus searches for Win32 PE executable files in the current directory and in the directories located in the three levels above the current directory. It also searches for executable files on available network drives and on removable media. If a directory’s name begins with “W” it infects the exe files contained within. The virus doesn’t infect files if their names begin with the following:
F-
PA
SC
DR
NO

‘Etap’ also spares files with names containing the letter ‘V’ and depending on random counter values.
While infecting files the virus rebuilds and encrypts its body and writes it to one of the host file’s sections. Then, it searches for and replaces one of the ‘alls’ to the “ExitProcess” function in the host’s code section with the ‘call’ to the viral code.
Payload
Depending on the system date and whether the infected host file imports the Windows library User32.dll file the virus may display messages, such as:
On May, 14th:
“Free Palestine!”
or
On March, June, September, December, 17h:
“Metaphor V1 by the Mental Driller/29a”, or
“Metaphor 1b by the Mental Driller/29a”

The latter message’s letters may be randomly selected.

Details
Win32.Enumiacs.6656

It is not a dangerous memory resident parasitic Windows virus. It replicates under Win32: stays in the system memory and infects PE EXE files that are run. The virus has anti-anti-virus ability: it searches for AVP Monitor window and terminates it. The virus does not manifest itself in any other way. It contains the text strings:
[Enumiacs] by Virogen [NOP]
Enumiacs by Virogen[NOP]
** THIS IS A BETA VERSION NOT INTENDED FOR PUBLIC RELEASE {0.5} **

When an infected file is executed, the virus gets control, scans the KERNEL32.DLL Export table and gets addresses of necessary Windows functions, and then installs itself in the Windows memory. To do that the virus creates and executes its dropper file ENUMIAC.EXE in the Windows system directory and writes its “pure” code to there. This “pure” virus dropper is an PE EXE program that has no other parts except virus code and data.
When the virus dropper is executed, it stays in the Windows memory as a hidden application (service) and performs a loop of infection: the virus searches for programs that are active in the system (enumerates them), stores their names (up to 125 names), waits for some time and then infects them.
While infecting the virus writes its code to the end of the file (appends to the end of last file sections) and modifies necessary PE header fields including EntryPoint address, size of image and ever recalculates file checksum.

Details
Win32.Ennumi.2761

This is a dangerous non memory-resident Win32 virus.
It searches all hard drives for PE files to infect.
It searches the Windows directory for a file named immune. If this file exists, the virus will not infect anything.
When infecting, the virus writes itself to the end of files.
Infection depends on the time shown by the local system clock. If the time shown is before 1100, no files will be infected. If the time shown is between 1100 and 1400, the virus will infect files in the Windows directory. If the time shown is between 1400 and 1900, si*pi.dll files will be infected. If any other time is shown, the virus will search for these files to infect later.
The virus code contains errors.

Details
Win32.Emotion.a

This is a companion virus. While infecting it searches for .EXE files in the current and Windows directory, renames .EXE file with BIN extension and writes its code with the original name of infected file. The virus is the Windows32 PE executable program, but it is able to infect EXE files of any format (DOS, OS/2, Win16/32) - the virus pays no attention for that, and to return control to the host file just executes it by WinExec system function.
On May 13th the virus displays the message:
w32.Emotion - By: Techno Phunk [TI]
A pool of emotions, beaten and abused.
Who will swim in the stale waters? Not a one
But many will scoff and destroy this pool with apathy

The virus then “swaps” mouse buttons.
Another version of this virus has the same code, but the displayed text is replaced with new one:
w32.Sadness - By: enchanter [Volt]
A time of sadness, a time to remember,
To remember what we once had and what we did,
and how we watched it all fade awayall…………..

Details
Win32.Elkern.c
This is a harmless encoded resident Win32 virus.
It repeatedly searches the current directory, hard and network disks, and all accessible network resources for Win32 (PE exe files) with the extensions .exe and .scr.
The virus infects files in a similar way to Win95.CIH, by writing itself to the file in sections.
After launching itself, the virus remains in memory and infects all processes which do not contain the text string ‘\explorer’. It writes a part of its body into the process and intercepts the functions DispatchMessageA and DispatchMessageW.
When one of these functions is run the virus launches a copy of itself in the current process.
The virus does not manifest itself in the system in any way.

Details
Win32.Drol.5337.c

Win32.Drol.5337.c is a dangerous Win32 virus.
It searches the current directory, the Windows directory and the Windows system directory for PE EXE files, and infects them.
The virus is 5337 bytes in size.
When infecting files it writes itself to the end of the file and changes the name of the file section at random.
It does not infect already infected files.
The code contains errors which may corrupt files.
Payload
Depending on the date shown by the local system, the virus displays the message:
DROL v1.0

This is the DROL virus

copyright (C) Lord Julus / [SLAM]

written for funall
and change the shape of the mouse pointer.

Details
Win32.Drol.5337.a

This is a harmful, non-resident, non-encoded Windows virus, which is related to the viruses Hatred and Undertaker. When an infected file is launched, the virus gains control; it then searches for executable Win32 (PE EXE files) in the current directory, the Windows root and system directories and infects the files found. The infection procedure contains errors, and infected files may cause a standard Windows error message to be displayed.
The virus will delete the following antivirus application data files:
ANTI-VIR.DAT
AVP.CRC
IVP.NTZ
CHKLIST.MS
CHKLIST.CPS
SMARTCHK.MS
SMARTCHK.CPS
On the 7th of each month, the virus will replace the mouse pointer with a skull and crossbones, and display the following message:
DROL v1.0
This is the DROL virus
Copyright (C) Lord Julus / [SLAM]
written for funall

Details
Win32.Drol.5337.a

It is a dangerous nonmemory resident not encrypted parasitic Windows virus related to already known Win32 viruses “Hatred” and “Undertaker”.
When an infected EXE files is executed, the virus gets control, searches for PE EXE files (Windows32 executable) in current, Windows and Windows system directories, then writes itself into the middle of the file between last and previous file sections, the last section is moved down beforehand. The virus has bugs in infection routine, and infected files in many cases cause standard Windows message about an error in application.
The virus deletes the anti-virus data files: AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS, SMARTCHK.CPS.
On 7th of any month the virus replaces the standard mouse cursor image with a new one (white scull and black arrow) and displays the message:
DROL v1.0 This is the DROL virus
Copyright (C) Lord Julus / [SLAM]
written for funall

The new mouse cursor image is written to the DROL.CUR file in the Windows system directory and registered in system Registry.

Details
Win32.Driller

This is a per-process memory resident parasitic high-polymorphic Win32 virus. The virus infects PE EXE files that have .EXE, .SCR, and .CPL filename extensions. When run, the virus infects these files in current Windows and Windows system directories.
The virus also stays in the system memory as a component of the infected host program, gains access to KERNEL functions and intercepts 15 of them: file searching, opening, copying, moving functions, etc. When a PE EXE file is accessed by these functions, the virus infects it. As a result, the virus will infect all PE EXE programs that are accessed by the infected host program, and the virus will be active until the moment the host program exits.
While infecting a file, the virus encrypts its 8K code and is stored at the end of the file. Then the virus reads 8K of the victim file code, encrypts it and is also saved at the end of the file. That “cave” then is filled with virus polymorphic code that decrypts the main virus code and passes control there:
File infection
ã=============¬ ã==============¬
¦Header ¦ ¦Header ¦
¦————-¦ ¦————–¦ <---- Program entry address
¦Code section ¦ ---¬ ¦Polymorphic ¦
¦ ¦ ¦ ¦virus routine ¦ ----¬ Jump to main virus code
¦ ¦ ¦ ¦--------------¦ ¦
¦ ¦ ¦ ¦ ¦ ¦
¦-------------¦ ¦ ¦--------------¦ ¦
¦Data section ¦ ¦ ¦Data section ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦
¦-------------¦ ¦ ¦--------------¦ ¦
¦etc. ¦ ¦ ¦etc. ¦ ¦
L=============- ¦ L==============- ¦
¦ ¦Encrypted ¦ <----
¦ ¦virus code ¦
¦ ¦--------------¦
L-> ¦Encrypted ¦
¦hist file code¦
L==============-

The virus’ polymorphic engine contains bugs and in some cases, the virus cannot decrypt its code, causing a standard Windows message about an error in the application.
On Fridays, and depending on the system date, the virus replaces StartPage for MS Internet Explorer and Netscape Navigator with a reference to the Web site:
http://www.thehungersite.com
The virus contains the “copyright” text:
[Virus TUAREG by The Mental Driller|29A]
- This virus has been designed for carrying the TUAREG engine -

Details
Win32.Dream.4916

This is a relatively harmless per-process memory resident parasitic polymorphic Win32 virus. It stays as a thread of the host process and infects Windows EXE and Help files that are accessed. To intercept files accessed, the virus hooks the “CreateFileA” Windows function.
While infecting EXE and HLP files, the virus writes itself to the end of the file and modifies the necessary file-structure fields. To run as a Windows application from HLP files, the virus uses a trick that for the first time was used by the “WinHLP.Demo” virus.
The virus has bugs, and infected files in some cases are damaged by the virus. Upon being activated, they cause a standard Windows message to appear about an error in application.
The virus contains the following text strings:
Win32.Dream, (c)oded by Prizzy/29A
The greetz go to all 29A vx coderz

Details
Win32.Doser.4183

This is a dangerous nonmemory resident parasitic polymorphic Win32 virus related to the Win32_AOC virus family. It searches for PE EXE files in the current Windows and Windows system directories, then looks for EXE files on the C: drive and infects them. The virus infects .EXE files as well as .DLL libraries. While infecting, the virus writes itself to the end of the file, and writes the ID text “DDoS” to a unused files in the PE EXE header.
When an infection routine is complete, the virus runs its DoS (Denial of Service) routine that, depending on the current day, selects one of seven Internet servers and performs a DoS attack on it. Two of these seven servers are unknown, and the rest appear as follows:
ctw1.citeweb.net
centralcommand.com
lockdown2000.com
europe2.f-secure.com
zonelabs2.brainstorm.net
It would seem unnecessary to say that the server list can be easily changed by the virus writer(s) in the event of possible new virus versions.

Details
Win32.Donut

This is a harmless parasitic Win32 virus. It consists of two parts: the virus itself written in assembly language, and the payload written in MSIL.
The virus searches for Win32 PE EXE .NET applications. It infects files in up to 20 upper level directories.
While infecting, the virus writes itself to the end of the file, then the virus writes its payload instead of the original host’s metadata, which is moved down. When an infected file is launched, the virus creates a copy of the infected file, restores its metadata and launches it.
The original content of infected files is able to work only in Windows 2000. When an infected file is launched in Windows XP, the virus will still work, but the host file won’t launch.
Depending of the random counter (in 1 in 10 cases), the virus displays the following message box:
________________________________________________
I.NET.dotNET by Benny/29A I
I_______________________________________________I
IThis cell has been infected by dotNET virus! I
I_______________________________________________I

The virus body contains the text string:
This cell has been infected by dotNET virus!

Details
Win32.Ditto.1488

This is a harmless, non-memory resident encrypted parasitic Win32 virus. It searches for PE EXE files (Windows executable files) in the current directory, then writes itself to the end of the file.
The virus seems to be a “test” version: before infecting each file, it reports this action via the following message:
I’am wanna infect filezz