win32.cham
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Win32.Champ
It is a dangerous nonmemory resident parasitic polymorphic Win32 virus. It infects the PE EXE files (Win32 executable). The virus infection routine has bugs and most of infected files are corrupted. They cannot be repaired and should be restored from not infected source.
On 1st of months with even numbers (February, April, June,all) the virus runs its payload routine that creates 500 garbage files with random names in three directories: Windows directory, Windows system directory and in the root directory on the drive where Windows is installed.
When infection routine is activated, the virus searches for PE EXE files in the current directory, then encrypts its body and writes to the end of the file. To get control on infected files start the virus patches the victim files' entry routine - the virus overwrites it with polymorphic code that passes control to the decryption routine in the main virus code (at the end of the file).
The virus checks file names and does not infect anti-virus programs: SCAN*, DRWE*, PAVW*, AVP3*, AVP1*, NOD3*, NOD. The virus also deletes the ANTI-VIR.DAT file, if it exists.
The virus contains the text string:
LethalMind.Champagne releaseed the 22th of March 1999.
Greetings to 29A, SLAM, Darkman, Benny, Pockets, Rod, Mist,
Thermo, Mdrg and all who have helped me. Je t'aime Laurence !
Copyright @2006 win32.cham