Virus.Win32.Ultratt

Class Virus
Platform Win32
Description

Technical Details

This is a non-memory resident parasitic Win32 virus with IRC spreading abilities. The virus searches for EXE, SCR, CPL, and OCX Windows executable files, and writes itself to the end of the file. There is only one virus version known, which is a “debug” version, and it infects these files only in when their names begin with the “1” character (for example, “1.EXE”). The virus looks for files in current, Windows, and Windows system directories.

To spread via IRC channels, the virus creates an infected C:MUTT.EXE file and overwrites SCRIPT.INI and EVENTS.INI files (mIRC and PIRCH control files) with commands that send a virus copy (MUTT.EXE file) to anyone entering
the affected chat channel.

The virus uses anti-debugging tricks, and halts the system if its code is under debugger.

On the 15th of any month, the virus, by modifying the system registry, makes A: and B: drives invisible in Explorer. Then it displays the following message box:

[Win32.Mutt v1.00]
Mutt by ULTRAS[MATRiX] (c) 2000
Thanx: [MATRiX] VX TeAm: mort, NBK, anaktos, Del_Armg0, Lord Dark…
Greetz: all VX scene

The virus deletes the following anti-virus data files:

AVP.CRC, ANTI-VIR.DAT, CHKLIST.MS, IVB.NTZ, NOD32.000, TBSCAN.SIG, AP.VIR

The virus also contains a routine that terminates anti-virus scanners and resident monitors, but this routine never receives control. The list of anti-virus programs appears as follows:

AVP Monitor
Amon Antivirus Monitor
AVG Control Center
Avast32 — Rezidentn� podpora
Antiv�rusov� monitor Amon
Norton AntiVirus