W32.Anivip


Aliases: W32.Anivip!html, PWS-Banker, TR/Click.HTML.IFrame.Y.1
Variants: Trojan-Downloader.Win32.Banload.chh, TROJ_BANLOAD.CHH, HTML_IFRAME.BV, Mal/Iframe-F

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 20 Apr 2007
Damage: Low

Characteristics: The W32.Anivip malware is capable of injecting its codes or replacing the contents of virtually all types of files including html formats. It can also be used to open unsecured ports as well as connect to malicious websites to download and execute more malware into the infected computer system.

More details about W32.Anivip

On the initial execution of the W32.Anivip virus, it tags the infected machine to make sure that only one instance is running in the computer system. It connects to a predetermined website to download and save the file ip.txt into the hard drive. Successful download of this file allows the W32.Anivip malware to infect all files using the PHP, ASP, and HTM file extensions. This virus can also infect any files that reside in logical drives from letters C to Z that is attached to the host computer system. However, many antivirus developers reveal that this malware does not infect files which reside in the TEMP folder of any directory in whatever drive of the machine. The W32.Anivip also does not infect files that contain the q520, 88kv, 136136, and ac66 text strings within the file itself. This means that it has the ability to scan the actual contents of the files and not just the names assigned to them.

A hidden IFRAME tag can also be added by this virus allowing it to redirect the Web browser to a predetermined website chosen by the malicious author. Downloading and execution of malicious files from the websites affects the behavior of Windows icons and cursors by causing a buffer overflow vulnerability in the machine. Majority of infections reveal that in almost all instances of infections computer systems that make use of animated cursors are most vulnerable. A reliable antivirus program may be required to correctly identify and remove all traces of the virus from the machine.