Details
Win32.HLLO.Rozak

This is a dangerous, non-resident overwriting Win32 virus.
The virus itself is a Windows PE EXE file about 28 Kb in length, and it is written in Visual C++.
Depending on the internal counters, the virus searches recursively either for all files, or for files with the following extensions:
.exe
.avi
.mp3
.doc
.zip
.rar
.mpg
.mpg4

The virus searches for these files on the drives C:, D:, E:, F:, and overwrites their original contents with its body. These files can be restored only from a backup.
When the virus is launched, it searches for the file “neh.dll”. If this file exists, the virus shows the following message and terminates:
————————-?
?Error ?
————————–
?Brak biblioteki: neh.dll?
————————–

After infecting files, the worm shows either the following message:
———————————————?
?WIN_KACZOR virus ?
———————————————-
?I have just raped your drivesall ?
?I feel sorry, but my desires are stronger…?
———————————————-

or two messages:
—————————————————?
?Kwa! ?
—————————————————?
?Co chcia?oby sie uruchomic programik? ?
?Nic z tego. Kaczor mowi: ZAGRAJ W SETTLERS IV!!!!!?
—————————————————-
—————————————————-?
?Kwa! Kwa! ?
———————————————-?
?WIN_KACZOR ?
?by Nijamormoazazel ?
?JÕzefÕw POLSKA ?
? ?
? And what Symantec? BloodHound doesn’t work??
———————————————-

Related Posts

This entry was posted on Wednesday, July 9th, 2008 at 11:50 am and is filed under Virus Threats.