Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Jun 2005
Damage: Low

Characteristics: The W32.Tirana application can infect portable executable files with encryption and payload capabilities.

More details about W32.Tirana

Once the W32.Tirana was executed, it takes control the injected call instruction at the entry point of the specific program that spots to the routine of the decryption of the virus. This will occur when infected file will run. The virus infects the files which must be an executable Win32 PE, des not have an existence of the ANIA marker (0x41, 0x49, 0x41, 0x4e) at the file offset of 0x38, that were unprotected by the protection system of the Windows SFC, and the last end of the section must be over or at least 0x1000 or 4KB. The worm infects a PE file that is suitable, if it is found, by inserting its code to the executable end and then changing 5 bytes from the point of entry that will control the pass to viral code once the file was executed.

The W32.tirana reinstates timestamp of the modified file to the original state when this file is being infected. The worm also decrypts itself by the use of the Xor function on the d-word having variable keys. After decrypting it looks for APIs 0x2c later required and then resolves these files by using its own routine, the sum check import. The worm hooks the imports of the computer that is compromised and then modules the imports from a list that is predetermined of about 13 to execute some extra actions. It looks for the explorer.exe in the processes list that is active by using its hashing algorithm. Then it will inject a thread into the process space of the Explorer.