|
|
| |
A new Virus, called HLLT.Toadie propagates via Pegasus Mail. The Virus has two known variants, of 6585 and 6810 bytes in length. Both Viruses were written in Pascal by a virus writer calling himself "RAiD". The viral code is packed with LzExe and then scrambled to make it difficult to unpack it with any standard unpacker.
The 6585 size variant uses Pegasus mail to send itself. The 6810 size variant attempts to use mIRC client and dcc itself under the name TOADIE.EXE whenever somebody joins the mIRC channel.
First variant carries the string "Toadie 1.0", second - "Toadie 1.1". |
| |
Credit:
This virus has been found by: Alexey Podrezov of Data Fellows.
|
| |
Both variants encrypt the host executable file and move the slice equal to the size of the virus to the end of the file. Date and time of the file is used as a decryption key so if any infected file is changed in any way it will no longer run.
The virus does not destroy data files but it can destroy infected program files if the timestamps of those files are changed. Infected programs will refuse to run between certain times of the evening (local time).
When an infected program is run, the virus attempts to propagate itself by looking for unsent Pegasus Mail messages and adding itself as an attachment to those messages.
The virus has an ability to spread itself through IRC networks. On infected system the virus modifies settings of IRC client (mIRC) and creates TOADIE.EXE file. This file is sent via DCC to anyone who is joining any IRC channel the user is on at the moment.
The 7800 bytes long virus version is a very fast infector. Within several minutes all EXE files will be infected.
|
|
|
|
|
|
|
|
