Details
GDIKill.1288

This text was written by Alexey Podrezov, F-Secure Corp.
Being run it first goes to C:\WINDOWS\ folder. Then it checks current date and if the month is not March it passes control to original WIN.COM code. If the date is 14th of March, the virus just deletes GDI.EXE, outputs a message and passes control to original WIN.COM code.
If the virus starts from a dropper (it checks 1 byte flag for that), it looks for WIN.COM file and infects it. The virus author planned that his virus would infect other COM files in case WIN.COM is already infected, but there’s a bug in virus code and this doesn’t happen. Also there’s a routine in virus code that goes to \FONTS\ folder and deletes all files there. But this routine is never activated.

Related Posts

This entry was posted on Thursday, October 26th, 2006 at 11:00 pm and is filed under Virus Threats.