W32.Dengue


Aliases: W32/Dengue, W95/CTX, W32.CTX_II
Variants: W32/Dengue.15456, Win32/Dengue.10385, Win32.CTX.10853

Classification: Malware
Category: Computer Virus

Status: Active
Spreading: Slow
Geographical info: Some parts in Asia, North and South America, Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Apr 2000
Damage: Low

Characteristics: W32.Dengue is considered to be the most complex but slow-polymorphic virus written in 2000. GriYo is a member of the 29A virus-writing group who created this virus. It uses the in-memory infection of Explorer.exe which runs on Windows NT/2000 and 9x and deletes checksum files of antivirus software.

More details about W32.Dengue

This virus inserts PE file and replicates on major W32 platforms (Windows 95/98 and Windows NT/2000). It is also called as W32.CTX_ll since they have the same polymorphic engine. It uses multi-layer polymorphism and inserting file infection strategy. The body of the virus is 10853 bytes long causing it to decrypts slowly. Although it is a slow-ployphormic, it is the most complex virus ever written in the year 2000. The virus code’s encryption includes XOR, NOT, SUB and ADD which becomes visible. Some layers may be easily detected while most cases are difficult to detect. The Explorer.exe is the main host used by this virus. When it is controlled, the virus gets the API addresses such as CreateFileA, WriteProcessMemory and IsDebuggerPresent which can be used for checking the checksum of API strings.

The virus begins to search for PE files to spread its infections. Checksum files that are infected are deleted. These files include antivirus software like the avp.crc, anti-vir.dat and ivp.ntz. In some cases, infection of the virus on Explorere.exe causes page fault errors. This allows to automatically load itself once an error occurs. There is no easy manual removal of this virus. You need to use antivirus software that can successfully remove the virus. Make sure to install the appropriate antivirus program that can block spyware, viruses, or other malicious software.