VIRUS NAME: W32/Chiton
Virus
Characteristics
W32/Chiton is a family
of viruses which are direct file infectors. After running a single infected
file, the virus will infect files in the current directory and subdirectories.
Targets files are 32bit PE (Portable Executable) files, such as .EXE and
.DLL. In the family we can find:
- W32/Chiton.a (alias
Chthon)
- W32/Chiton.b (alias
Shrug)
- W32/Chiton.c (alias
Out812)
- W32/Chiton.d (alias
Efish)
- W32/Chiton.e (alias
Gemini)
Under NT/2000/XP platforms,
W32/Chiton.a & W32/Chiton.b are able to infect .EXE files via a Thread
Local Storage call. It seems to be the first viruses using this replication
technique.
W32/Chiton.a drops a file called "CHTHON.EXE" in the "\windows"
directory. For example \windows\chthon.exe on win9x based systems, and
\winnt\chthon.exe for Win2000 based systems. The filesize of this dropped
file is 2387 bytes.
W32/Chiton.c drops a file called "VB6ENG.DLL" in the "\windows"
directory. Its filesize is 2094 bytes.
W32/Chiton.e drops a file called "GEMINI.EXE" in the "\windows"
directory. its filesize is 2788 bytes. The viral process is visible in
the task manager as "gemini".
Symptoms
32 bit PE type files (.EXE .DLL) have appended or inserted viral code.
A and E variants are not crypted and the string "roy g biv"
is visible.
Method Of Infection
Manually running an infected file activates the virus.
|
