Technical Details

This is a family of dangerous Win32 viruses.

Win32.Chiton.l

When launching, the virus writes itself to vb6eng.dll.
in the Windows system directory.

When any application which uses this DLL is launched, the virus will search for and infect Win32 applications (PE files). When infecting files, it writes itself to the end of the file. It does not re-infect already infected files.

The virus does not manifest its presence in the system in any way.

It contains the text string;

OU812 – roy g biv
06/06/01
*4U2NV*

Win32.Chiton.m

This virus searches for and infects PE files.

EXE files are infected by patching the API Process Thread Creation offset. Other PE files will be infected by replacing the code at entry point with the virus code. This virus does not re-infect already infected files.

The virus includes antidebugging techniques.

The virus does not manifest its presence in the system in any way.

The virus code contains errors.

It contains the text string:

Shrug – roy g biv
01/01/01