Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.


Technical Details

This is a dangerous per-process memory resident Win32 virus infecting PE EXE files (Windows applications) and MSI archives, "upgrading" itself from the Internet, and possessing E-mail spreading abilities. The virus is encrypted and uses "Entry Point Obscuring" technology to hide itself in infected files. The virus has about 6K of length.

The virus uses anti-debugging tricks and halts a machine if SoftICE or another debugger is detected in the system.

The virus also tries to disable the Windows file protection. To do that, it infects system files that are responsible for file protection: it overwrites the DEFAILT.SFC file with empty data (under Win98) or SFCFILES.DLL (under Win2000). This trick should work under Win98, and should not work under Win2000, where the system either blocks access to SFCFILES.DLL, or immediately restores it from backup.


To infect *.EXE files, the virus looks for them in the current directory, and writes itself to the file end. To get control, the virus does not modify the program start up address, but instead looks for standard program subroutines header/footer and patches a footer with a JMP_Virus instruction. As a result, the virus cannot activate at the moment an infected file is being run, but rather when an infected routine is executed (when the corresponding branch gets control).

The virus then stays in the memory as a component of the infected program, hooks several file access functions, and infects EXE files that are accessed by the infected program. So the virus is active in the Windows memory up to the moment an infected application is terminated.

In some cases, being run on an NTFS machine, the virus creates an additional NTFS stream (ADS) with the ":HIV" name ("filename.ext:HIV") in infected files and writes the following "copyright" text there:

This cell has been infected by HIV virus, generation:


where NNNNNNNN is virus "generation" number.

MSI archives

The virus also intercepts access to MSI archives, opens them, looks for PE EXE files in there and infects them by overwriting the program entry routine with code that displays the following message when run:

[Win32.HiV] by Benny/29A
This cell has been infected by HIV virus, generation: 0xNNNNNNNN

where NNNNNNNN is virus "generation" number.

HTML files infection

The virus also looks for *.HTML files in the current directory and replaces them with XML files by adding a .XML extension to them:

Clean file: File.html
Infected file: File.html.xml

The virus then hides infected XML files using a trick: it sets a registry key that causes Windows not to show extensions for XML files; changes the XML files icon; and places the standard HTML files icon there. As a result, infected HTML files (that actually are XML files after being infected) are displayed by Explorer as standard HTML files in the files list. So, an infected "File.html.xml" will be shown as "File.html" with a HTML file icon.

The script program written by the virus to infected HTML files gains access to an Internet zone and opens the file there:

In reality, this is not a TXT file, but rather a XML file that is processed by Internet Explorer as a standard Web page (despite the fact that the file has a TXT extension). The script program, in a PRESS.TXT file, downloads a MSXMLP.EXE file from the same site, and registers it in the auto-run Registry section:


The MSXMLP.EXE file that is found in there is a standard Windows application with a new virus version in it. So, the virus author can "upgrade" the virus on infected machines, or install a Trojan.

Email spreading

The virus opens the WAB database (Windows Address Book), obtains e-mail addresses from there and sends messages that contain the following:

Sent: 2010/06/06 22:00
Subject: XML presentation
Please check out this XML presentation and send us your opinion.
If you have any questions about XML presentation, write us.
Thank you,
The XML developement team, Microsoft Corp.
Attached file: press.txt

The attached PRESS.TXT file is the same XML script program as used by the virus while infecting HTML files. So, when a user activates PRESS.TXT, a virus copy is downloaded to the computer and registered in the system registry.

The virus saves that PRESS.TXT file in the C: drive root directory: C:PRESS.TXT.

While sending messages, the virus uses the MAPI library, so it does not depend on the Mail system installed on the computer.

The known virus version has a bug in the mailing routine, and fails to send messages.

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.