Win32.Hatred
Details
Win32.Hatred.a
These are dangerous non-memory resident parasitic polymorphic Windows viruses about 10Kb in length, infecting Win32 PE EXE files. While infecting, they increase the size of last file section, encrypt and write themselves there, then modify the necessary fields in the PE file header.
The viruses have bugs, and often corrupt files while infecting them; most files are corrupted, and in most of cases, the virus replicates only from its “first generation” (dropper file). Despite known virus versions being “intended” to start from the second generation, this bug may be fixed in future virus variants.
When the virus runs an infection procedure, it first of searches for CDPLAYER.EXE, CALC.EXE, PBRUSH.EXE, MPLAYER.EXE, NOTEPAD.EXE, and WINHLP32.EXE files in the Windows directory, and infects them. The virus then scans all directories on all drives to locate and infect PE EXE files.
While infecting, the virus processes just one drive on one run, and continues infection of the next drive on the next infected file run. To do this, it collects disk info, encrypts and stores it in the system registry in the key:
HKEY_CURRENT_USER\Control Panel\Cursors: dertaH = [disks info]
Upon the next start-up, the virus reads this info, and continues the infection process starting from the drive where the infection was interrupted last time.
The virus checks the file names, and does not infect several anti-virus programs: F-*, AW*, AV*, NAV*, PAV*, RAV*, NVC*, FPR*, DSS*, IBM*, INOC*, ANTI*, SCN*, VSAF*, VSWP*, PANDA*, DRWEB*, FSAV* (F-PROT, AVG, AVP, etc.)
The virus also deletes several anti-virus data files:
AVP.CRC, IVP.NTZ, ANTI-VIR.DAT, CHKLIST.MS, CHKLIST.CPS, SMARTCHK.MS,
SMARTCHK.CPS
On the 7th of any month, “Hatred.a” displays a message, and then covers the screen with black dots. The message appears as follows:
Win32.Hatred by Lord Julus (c) 1999
Today is the 7th !! Today is the day of hate !!
With Heart feel Hatred ! Black blood runs thru my veins !
Hatred !!!! Hatred !!!!
(escape is your escape)
The “Hatred.a” virus contains the text:
Win32.Hatred V.1.0
(C) 1999 by Lord Julus / [SLAM]
The polymorphic engine that is used by this virus contains the text strings:
Multiple Opcode Fantasies 32Bit V.2.5 by Lord Julus - 1999
JGM - Junk Generator Module V.1.0 by Lord Julus - March 1999
Hatred.b
This virus version is very closed to original one. The differences are: the registry key name is “YKCUL” (”LUCKY” written backwards); the “copyright” text is:
LUCKY B.R.D 1994-99
The payload routine is activated on the 3rd of any month; the message is displayed as follows:
Win95/98/Nt This is The Comtech Vir by LUCKY B.R.D 1994-99
Comtech product are badall..
Related Posts