Parent class: TrojWare

Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer.

Class: Trojan-Banker

Trojan-Banker programs are designed to steal user account data relating to online banking systems, e-payment systems and plastic card systems. The data is then transmitted to the malicious user controlling the Trojan. Email, FTP, the web (including data in a request), or other methods may be used to transit the stolen data.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


Technical Details

It is a harmless nonmemory resident parasitic Win32-virus. It searches for Windows32 PE executable files in the current directory and infects them. The virus works under both Windows 95/98 and Windows NT.

When an infected program is run, the virus receives control and searches for Windows32 API addresses. First of all it scans KERNEL code and looks for GetProcAddress function address. When this function is located, the virus by using this address gets pointers to nine other functions:

CreateFileA, CreateFileMappingA, MapViewOfFile, CloseHandle,
FindFirstFileA, FindNextFileA, FindClose, UnmapViewOfFile, SetEndOfFile
By using these calls the virus then searches for files and infects them. While infection the virus incorporates its code into the middle of the file to the end of first section. The virus looks for gap in the virtual image of file: if there is enough free space between first and second section in virtual image (addresses in the memory, not in disk file - the virus avoids overlapping sections on loading file into the memory), the virus shifts the rest of the file down by 1024 bytes, writes its code into this cave, modifies entry point address and fix section headers.

The virus has a bug that causes double infection. Despite this, infected files work without any problem.

The virus contains the text string that gives its name:


Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.