Virus

W32/Scorvan.A

Analysis

  • Virus is 32bit with a compressed size of 15,872 bytes
  • When virus is launched, it initiates an instance of the application CALC in order to mask its appearance – the virus loads into memory and waits for a period of time before performing other actions
  • Virus may attempt to copy itself to the root drive as a constructed filename:

    [part 1] + “ “ + [“Calc.exe” or “Calculator.exe” or “Analyzer.scr”]

    In the above, “part 1” is selected from the following list of names:

    Basic, Scientific, Brain, Flames, Lovers, Loving, Trojan, Virus, Sperm, Blood, Heart, Lemmings, Worm, vAndEEd0, Scorpion, Permutation, The Best, Cool, Modified, Love, FBI, Hackers, Hacker, Game, Friendship

  • Virus may use a new constructed file name to copy itself into the shared folder location for peer-to-peer file sharing applications Kazaa, Bearshare, KMD, Limewire, Grokster and eDonkey2000

  • Virus may use a new constructed file name to copy itself into the Windows\Desktop folder

  • Virus may attempt to open or close the CD tray

  • Virus contains the following text at the top of its code –

    This vAndEEd0 program. worm.scorpion...