Free Web Hosting Provider - Web Hosting - E-commerce - High Speed Internet - Free Web Page
Search the Web

Database : W32.Oporto.3078
W32.Oporto.3078
Virus Name: W32.Oporto.3078
Aliases: None known
Type: EXE files infector
Resident: No
Stealth: No
Trigger: 24th September 1999
Payload: Endless message boxes.
Comments:

It is a virus that infects Windows PE executables. It is a direct infector of EXE files. It works under Windows 95, 98 and NT.

If an infected file is executed on Sep. 24, the virus creates an endless number of message boxes that contain the following text:

TOTILIX Presents...

This >TOTILIX< Virus was assembled at the 

city of Oporto Portugal!

gas_par@hotmail.com

(c) 1999 G@SP@R aka Sexus

During infection, the virus overwrites the first six bytes at the entry point of the host program to transfer control to the viral code upon execution of the file. These six bytes are stored in the virus body and restored in memory when the viral code is executed. After decrypting its viral code, the virus searches for 30 Windows API functions used for finding and infecting files. Then, it allocates memory, copies itself to that newly allocated memory and executes from there. It does not infect files that start with NTVD. If it finds a file named ANTI-VIR.DAT, it deletes this file.
Copyright © 2001, All Rights Reserved.
Created & Maintained by VQUEST.