McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Detection was added to cover for a malicious 32 bit PE file originally called "syssrv.exe " , having a filesize of 63488 bytes decimal. The file is written using Borland Delphi and it is internally compressed with Aspack.

The binary file's icon is of a deceiving Notepad text type. The malicious file failed to execute properly on a lot of test machines.  When it does run successfully, it dsiplays an empty Notepad window. It copies itself, for example on a win2000 system, to the location:

• c:\winnt\system32\syssrv.exe.

To have the file execute automatically at system start it creates a standard registry entry under 

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• Name : syssrv 
• Data   : c:\winnt\system32\syssrv.exe

The process is visible in the Windows Task manager and can also be killed manually. Note that VirusScan is able to kill the process, remove the registry entry and wipe the file automatically.

While the malicious process is running, the registry editor can be started but it is not fully functional, the registry information can not be viewed/edited.

It also creates a file called Hallo.Roro.htt, having shr file attributes, so it set them to system files, hidden and read-only. The file is a harmless text file in which the virus author expresses his love for someone.

The worm tries to copy itself to floppy drives A:. During testing this didn't function very well resulting in a hanging, not responding floppy drive. It doesn't perform mass-mailing.

When the payload activates it might change the autoexec.bat to delete files from the Program Files and Windows folders on the next startup, displaying Indonesian messages.

Symptoms

• Presence of files (with matching filesize) mentioned above
• Unexpected Indonesian messages on the screen and in files.
• Inability to browse registry with the registry editor
• Binary file being put automatically onto floppy drives

Method of Infection

Infection starts with manual execution of the binary file. It doesn't mass-mail itself out. It copies itself to floppy drives to spread.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Detection was added to cover for a malicious 32 bit PE file originally called "syssrv.exe " , having a filesize of 63488 bytes decimal. The file is written using Borland Delphi and it is internally compressed with Aspack.

The binary file's icon is of a deceiving Notepad text type. The malicious file failed to execute properly on a lot of test machines.  When it does run successfully, it dsiplays an empty Notepad window. It copies itself, for example on a win2000 system, to the location:

• c:\winnt\system32\syssrv.exe.

To have the file execute automatically at system start it creates a standard registry entry under 

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• Name : syssrv 
• Data   : c:\winnt\system32\syssrv.exe

The process is visible in the Windows Task manager and can also be killed manually. Note that VirusScan is able to kill the process, remove the registry entry and wipe the file automatically.

While the malicious process is running, the registry editor can be started but it is not fully functional, the registry information can not be viewed/edited.

It also creates a file called Hallo.Roro.htt, having shr file attributes, so it set them to system files, hidden and read-only. The file is a harmless text file in which the virus author expresses his love for someone.

The worm tries to copy itself to floppy drives A:. During testing this didn't function very well resulting in a hanging, not responding floppy drive. It doesn't perform mass-mailing.

When the payload activates it might change the autoexec.bat to delete files from the Program Files and Windows folders on the next startup, displaying Indonesian messages.

Symptoms

Symptoms -

• Presence of files (with matching filesize) mentioned above
• Unexpected Indonesian messages on the screen and in files.
• Inability to browse registry with the registry editor
• Binary file being put automatically onto floppy drives

Method of Infection

Method of Infection -

Infection starts with manual execution of the binary file. It doesn't mass-mail itself out. It copies itself to floppy drives to spread.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A