Virus

W32/Datom.A

Analysis

  • Virus is written in a high-level language and consists of three files -

    MSVXD.exe - 58,368 bytes - copies files, initiates MSVXD16.dll
    MSVXD32.dll - 81,408 bytes - contains hooks for MPR.dll, WSOCK32.dll
    MSVXD16.dll - 54,784 bytes - contains registry modification code

  • When virus is executed, it enumerates available shares via Network Neighborhood and attempts to connect to the share, and infects it by copying all three components to the Windows folder of the target machine.

  • The WIN.INI will also be attempted for modification on the target system in order to load MSVXD.exe at next Windows startup.