McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan.Vavico (Symantec)

• Win32.HLLW.Vavico (Kaspersky)

Characteristics

Detection was added to cover for a local floppy worm. It doesn't spread by e-mail/netork drives.

When executed, it displays a fake error message that the file is not a valid windows application. In the meantime it performed malicious actions.

A message might appear: "Your pc is vicious___83...! -cjbprog,...By @DhieSoft-

A visual aspect might be the displaying of a bitmap file of the dropped c:\winnt\x-logo.bmp.

On the desktop files are put, for example, but not limited to: 

• Shakira.mp3.exe
• Download.zip.exe
• Freebsd.doc.exe

It tries to copy itself to the floppy (A:\) drive:

• Sexy.bmp.exe
• Pikachu.bmp.exe
• Linux.doc.exe
• Antidebug.rar.exe
• Ebooks.pdf.exe

It drops files to the root of the C: drive:

• Bios.doc.exe
• Christina Aguilera I turn to you.mp3.exe
• Funny.bmp.exe
• Password.mdb.exe

It also creates files in the %windows system32 directory:

• Eax.exe
• Msvrt.exe
• Term32.exe

It createds files in the %windows directory:

• Exploder.exe
• Krnl836.exe
• Run.exe

It creates a directory with: C:\Program Files\Norton Antivirus\navw32.exe

It creates a directory with: C:\winnt\pc-health\pcguard.exe

It creates a directory with: C:\winnt\installer\temp\shakira.mp3.mp3

It creates a registry key HKCU\Control Panel\Desktop "scrnsave.exe" with the data set to : C:\winnt\system32\3d_papa_buzzie.scr

It creates a registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run with values

• "Norton Antivirus" and points to the above navw32.exe file
• "Kernel32" and points to the above krnl836.exe file
• "Terminal Services" and points to the above term32.exe file

It puts under HKLM\Software\Microsoft\Command Processor "Autorun" the new data : echo off!copy c:\winnt\config\driver.idf c:\mario.exe|cls|echo.___vicious83(...by Buggie-haeza-tsu)

It tries to interfere with AV software. (McAfee,PCCillin,Norton,Panda)

Symptoms

• Presence of files mentioned above
• Strange messages on the screen
• Unexpected files being copied automatically to the floppy drive

Method of Infection

Infection start with manual execution of the binary. It doesn't spread automatically by e-mail/network.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Trojan.Vavico (Symantec)

• Win32.HLLW.Vavico (Kaspersky)

Characteristics

Characteristics -

Detection was added to cover for a local floppy worm. It doesn't spread by e-mail/netork drives.

When executed, it displays a fake error message that the file is not a valid windows application. In the meantime it performed malicious actions.

A message might appear: "Your pc is vicious___83...! -cjbprog,...By @DhieSoft-

A visual aspect might be the displaying of a bitmap file of the dropped c:\winnt\x-logo.bmp.

On the desktop files are put, for example, but not limited to: 

• Shakira.mp3.exe
• Download.zip.exe
• Freebsd.doc.exe

It tries to copy itself to the floppy (A:\) drive:

• Sexy.bmp.exe
• Pikachu.bmp.exe
• Linux.doc.exe
• Antidebug.rar.exe
• Ebooks.pdf.exe

It drops files to the root of the C: drive:

• Bios.doc.exe
• Christina Aguilera I turn to you.mp3.exe
• Funny.bmp.exe
• Password.mdb.exe

It also creates files in the %windows system32 directory:

• Eax.exe
• Msvrt.exe
• Term32.exe

It createds files in the %windows directory:

• Exploder.exe
• Krnl836.exe
• Run.exe

It creates a directory with: C:\Program Files\Norton Antivirus\navw32.exe

It creates a directory with: C:\winnt\pc-health\pcguard.exe

It creates a directory with: C:\winnt\installer\temp\shakira.mp3.mp3

It creates a registry key HKCU\Control Panel\Desktop "scrnsave.exe" with the data set to : C:\winnt\system32\3d_papa_buzzie.scr

It creates a registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run with values

• "Norton Antivirus" and points to the above navw32.exe file
• "Kernel32" and points to the above krnl836.exe file
• "Terminal Services" and points to the above term32.exe file

It puts under HKLM\Software\Microsoft\Command Processor "Autorun" the new data : echo off!copy c:\winnt\config\driver.idf c:\mario.exe|cls|echo.___vicious83(...by Buggie-haeza-tsu)

It tries to interfere with AV software. (McAfee,PCCillin,Norton,Panda)

Symptoms

Symptoms -

• Presence of files mentioned above
• Strange messages on the screen
• Unexpected files being copied automatically to the floppy drive

Method of Infection

Method of Infection -

Infection start with manual execution of the binary. It doesn't spread automatically by e-mail/network.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A