Kaspersky Threats

Class

Platform

Description

Technical Details

It is a dangerous nonmemory resident parasitic polymorphic Win32 virus. It infects the PE EXE files (Win32 executable). The virus infection
routine has bugs and most of infected files are corrupted. They cannot be
repaired and should be restored from not infected source.

On 1st of months with even numbers (February, April, June,…) the virus
runs its payload routine that creates 500 garbage files with random names
in three directories: Windows directory, Windows system directory and in
the root directory on the drive where Windows is installed.

When infection routine is activated, the virus searches for PE EXE files in
the current directory, then encrypts its body and writes to the end of the
file. To get control on infected files start the virus patches the victim
files’ entry routine – the virus overwrites it with polymorphic code that
passes control to the decryption routine in the main virus code (at the end
of the file).

The virus checks file names and does not infect anti-virus programs: SCAN*,
DRWE*, PAVW*, AVP3*, AVP1*, NOD3*, NOD. The virus also deletes the
ANTI-VIR.DAT file, if it exists.

The virus contains the text string:



LethalMind.Champagne releaseed the 22th of March 1999.

Greetings to 29A, SLAM, Darkman, Benny, Pockets, Rod, Mist,

Thermo, Mdrg and all who have helped me. Je t’aime Laurence !

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	Win32
Description	Technical Details It is a dangerous nonmemory resident parasitic polymorphic Win32 virus. It infects the PE EXE files (Win32 executable). The virus infection routine has bugs and most of infected files are corrupted. They cannot be repaired and should be restored from not infected source. On 1st of months with even numbers (February, April, June,…) the virus runs its payload routine that creates 500 garbage files with random names in three directories: Windows directory, Windows system directory and in the root directory on the drive where Windows is installed. When infection routine is activated, the virus searches for PE EXE files in the current directory, then encrypts its body and writes to the end of the file. To get control on infected files start the virus patches the victim files’ entry routine – the virus overwrites it with polymorphic code that passes control to the decryption routine in the main virus code (at the end of the file). The virus checks file names and does not infect anti-virus programs: SCAN, DRWE, PAVW, AVP3, AVP1, NOD3, NOD. The virus also deletes the ANTI-VIR.DAT file, if it exists. The virus contains the text string: LethalMind.Champagne releaseed the 22th of March 1999. Greetings to 29A, SLAM, Darkman, Benny, Pockets, Rod, Mist, Thermo, Mdrg and all who have helped me. Je t’aime Laurence !
	Find out the statistics of the threats spreading in your region

Virus.Win32.Champ

Technical Details