The main source of spread of the virus are, as usual, the file-exchange network. The virus can enter the directories installed on the machines file-sharing programs like under the guise of "good" programs, and just in the infected software software distributions, you sent your friends or acquaintances. Unfortunately, most people stubbornly ignore the anti-virus programs or simply do not update the antivirus database, which "wakes up" the virus in their cars. As a result, infected computers are becoming breeding grounds for viruses to tens or even hundreds of computers. Potential hazards can also be CD / DVD-discs recorded on such "clean" vehicles, because it is clear that among them are recorded on the (disk) files and will be infected. It is not excluded also the possibility of catching the virus in the event that you use for transport / storage flash drives (USB Flash Memory Storage) or floppy disk.
Win32.HLLP.Underscore is a non-resident Windows-program (called PE EXE-file that contains the label in its title "PE"; these include the program with 32-bit code written in high level languages, such as , C + + Builder, Borland Turbo Pascal (Delphi) and others that are created to run on Windows). Has capacity for all existing at the date of Windows. It is written in Microsoft Visual C (compiled using Microsoft Visual C 5.0) andhas a code length of 36,864 bytes .
When activated, the virus searches the system directory (via the function% windir% or% systemroot%) and copies the file to your mc42.exe ( file name is always the same) size 36 864 bytes . After that creates a key at the system registry to enable its activation at each start
As mentioned above, the virus is not a resident program and can be in the computer memory only a short period of time corresponding to its duty cycle (from tens of seconds to several minutes depending on the number of logical drives on your hard drive, the amount contained in their information and computer speed .)Only activated at system startup and / or when an infected program, while promoting the following: 1. Checks for a start-up key in the registry and component mc42.exe in the system folder Windows; 2. Identifies all available logical drives (C, D , E ... Y, Z), including the network, open to full or partial access to a data record (if the infected machine is running in the local [office] network), then randomly selects one of these disks, it scans, identifies the order 10 PE EXE-file (you can choose only those that are no larger than 2-3 MB) and infects them, and then finishes its cycle. It should also be noted that the selection of potential "victims" of the virus ignores and does not infect EXE-files, if the latter are located at the following locations: - active in the system directory of Windows and its subdirectories, - the root of drive C; - in C: \ WINDOWS and its subdirectories (as in the case, if the active set of Windows in this directory, and if there is a car a few Windows-installed systems). The virus evades the attribute "read only" ("read only" ) and uses the method used in his time in the old file viruses HLLP-family (Hight Language Lines Program): overwrite EXE-file found its own code, which appends to the original program code. Schematically, it looks like this:
Win32.HLLP.Underscore not re-infect files, determining presence of a copy of its program by checking the contents of the initial part of the infected file with a copy of the virus in the file mc42.exe and if a match is found, the virus finds a file is already infected and do not touch it.
The first time an infected program the virus creates a new file the current directory, which copies the original program from the infected body, and then runs it (the file) to execute (the infected program is closed after the execution the foregoing viral cycle). Assigned to the new file: the exact same name, which has an infected file, but only with the addition of the symbol "space" as the first character; current time, which determines the virus on the system timer; attributes "hidden" ("hidden") and "System" ("system"). Therefore, this file orinalnoy program invisible to the user during normal system settings for a folder and files, as by default, Windows does not show hidden and system files.
When you run an infected program the virus overwrites the new file from scratch.
This technique is used by the virus, has a downside: when an infected file from the media, having a small stock of free disk space (for example, USB flash drive or floppy disk) as well as the media, which can not stream record (eg, CD-ROM or USB flash drive / floppy disk with the jumper, switched to the "write lock"), the original program will not run.
the concept of opening an infected program is as follows:
The code of the virus has a row the "copyright" Underscore for the virus and it got its name.
Since January 2005, the name of the virus nomenclature of some antivirus companies have been replaced by the following: Anti-Virus Kaspersky AntiVirus : Virus.Win32.Undersor (cures infected files) AntivirusBitDefender Professional : Win32.HLLP.36864 (cures infected files) Anti- DrWeb : Win32.HLLP . Underscore.36864 (cures infected files) should be noted that a number of viral copies may be present in the files with the extensions "CHK" (the latter are the files that are backed up by some versions of Windows in cases where the bad clusters on the hard disk system application Scandisk). In the treatment file mc42.exebe removed. After the treatment process to remove all copies of the original by a virus program (see above), which will continue to be nothing more than garbage program.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 08/01/2005
Date of last change: 27.05.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment