Virus.Win32.Champ

Class Virus
Platform Win32
Description

Technical Details

It is a dangerous nonmemory resident parasitic polymorphic Win32 virus. It infects the PE EXE files (Win32 executable). The virus infection
routine has bugs and most of infected files are corrupted. They cannot be
repaired and should be restored from not infected source.

On 1st of months with even numbers (February, April, June,…) the virus
runs its payload routine that creates 500 garbage files with random names
in three directories: Windows directory, Windows system directory and in
the root directory on the drive where Windows is installed.

When infection routine is activated, the virus searches for PE EXE files in
the current directory, then encrypts its body and writes to the end of the
file. To get control on infected files start the virus patches the victim
files’ entry routine – the virus overwrites it with polymorphic code that
passes control to the decryption routine in the main virus code (at the end
of the file).

The virus checks file names and does not infect anti-virus programs: SCAN*,
DRWE*, PAVW*, AVP3*, AVP1*, NOD3*, NOD. The virus also deletes the
ANTI-VIR.DAT file, if it exists.

The virus contains the text string:


LethalMind.Champagne releaseed the 22th of March 1999.
Greetings to 29A, SLAM, Darkman, Benny, Pockets, Rod, Mist,
Thermo, Mdrg and all who have helped me. Je t’aime Laurence !