Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Trojan Programs / General Trojans

Trojan.Win9x.FlashKiller

Aliases
Trojan.Win9x.FlashKiller (Kaspersky Lab) is also known as: Trojan.FlashKiller (Kaspersky Lab), Bloodhound.W32.EP (Symantec),   WIN.EXE.Virus (Doctor Web),   TR/FlashKiller.B (H+BEDV),   Trojan.Win95.Flashkiller (SOFTWIN),   W32.CIH.1003 (ClamAV),   Suspect File (Panda),   WIN32 (Eset)
Description added Mar 07 2000
Behavior Trojan
Technical details

This trojan when run immediately erases data on the hard drive and destroys the Flash BIOS chip, if it is write-enabled. The trojan itself has Windows PE executable format and does work under Win95/98 only.

To erase disk data and Flash BIOS the trojan uses a routine that is absolutely the same that the "Win95.CIH", aka "Chernobyl" virus has - this is the same routine that is activated by "Win95.CIH" virus on April 26th. Moreover, it seems that trojan code was compiled from the "Win95.CIH" virus sources, where all infection routines were cut off, and only data destroying payload routines were left.

This trojan detection procedure that is implemented in AVP anti-virus has a side effect - it helps to locate Windows PE EXE files that are not completely cleaned after "Win95.CIH" virus infection.

The "Win95.CIH" infection method is quite complex, and the virus code is divided into several blocks in infected files (see "Win95.CIH" virus description for more details). AVP disinfects such files extremely correct: it restores not only PE file header and destroys virus entry routine, but also erases all parts of virus code in infected files.

Several anti-virus programs disinfect the "Win95.CIH" virus not so accurate as AVP does - they recover only PE file header and leave pieces of virus code and data in disinfected files, for example, you may see the "CIH TATUNG" or "CIH TTIT" string in bodies of disinfected files. The hard drive erasing and Flash BIOS destroying routines are also left in files' sections. This part of "Win95.CIH" virus code causes AVP to detect such files as infected by "FlashKiller" trojan in case AVP is run in "Redundant scan" mode. In this mode AVP scans whole file contents, locates this hard drive and Flash BIOS killing routine, and reports about trojan code found in the file.

To fix the problem you should contact local AVP distribution and support site and obtain the CIH-TRAC.AVC database that detects such badly disinfected files, and completes the disinfection: cleans all traces of the virus. This routine is not, and will be not included into main AVP databases because it may cause false alarms.

 		 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com