W32.Lad.1916


Aliases: Virus.Win32.Lad.1916, Win32.Lad.1916, W32/Adt, Win32.Adt.1916, W32/Adt-A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W34
Discovered: 02 Jul 2001
Damage: Low

Characteristics: W32.Lad.1916 is a virus. It is a direct infector that infects Microsoft Portable Executable (PE) files. The virus does not become a memory resident when executed. Instead, it attempts to infect files in the Windows folder, the Windows System folder, and the folder where the virus resides.

More details about W32.Lad.1916

W32.Lad.1916 infects PE files, and it executes on all Win32 platforms. The virus calculates an offset when it is first executed. This value will be used to patch the end of the viral body. Once the virus has finished executing, control is returned to the original host file. The virus tries to find Kernel32.dll in memory before it infects the system. The virus goes through a simple infection routine. It first goes into a findfirst/findnext loop. It looks for files with an EXE extension in the Windows folder. All PE files that the virus finds are infected. Next, it goes back into the same findfirst/findnext loop. It now looks for files with an EXE extension in the Windows System folder and the current folder where the virus was executed and infects them.

When the virus infects files, it checks the system date. It has a payload that executes every 19th of the month. If it is the 19th of the month, it displays a message that contains “Message box title: ADTWin32” and “Message: ADT for Windows.” When the virus has executed the payload routine, it returns control to the original host. Removing the virus manually may be hard. To manually remove it, update virus definitions, run a full system scan and delete all files infected by the virus. Then, delete additional values added to the registry. Be careful to back up the registry first before attempting to delete values.