W32.Weird


Aliases: PE_WEIRD.D, Virus.Win32.Weird.d, Virus:Win32/Weird_10240.C, W32/Kuang.gen, W32/Weird-D
Variants: Virus.Win32.Weird.c, Win32.Weird.c, W32/Kuang.gen,   W32/Weird-C,   Win32/Weird.10240.C

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 06 Jul 1999
Damage: Low

Characteristics: The W32.Weird application is a virus that infects files in the Windows and Windows System folders. This virus is not a dangerous program it just creates a hidden process, which opens an IP address and listens for commands. This hidden process is identical to other server/client Trojan horses such as Back Orifice, Backdoor, and Net Bus.

More details about W32.Weird

W32.Weird is not a harmful memory resident-parasitic W32 virus. It just writes itself at the end of PE EXE files by modifying header fields of PE and increasing last file extension. The virus copies infected files that consists two parts. First is the starter, this is a short routine about 1 kb of data and code, the second is the virus code approximately 10 kilobytes in size that is encrypted with ridiculous encryption loop. Once infected file is executed, the starter controls and decrypts the second part, which is the main virus code. It drops it to the directory as PE EXE file and executes it. The main virus acts as a hidden Windows program and runs a low priority thread, which periodically scans directory trees on drives. I t would then look for PE EXE files and infects them. W32.Weird also affects EXPLORER.EXE. The virus infects the file and writes the rename instruction to WININIT.INI file in order to replace the original EXPLORER.EXE with infected copy on the next Windows start up.

To remove W32.Weird, insert a clean Windows Startup disk or DOS floppy disk into the floppy disk drive and restart your PC. At the prompt, type in “cd windows” and “dir *.exe /a:h” commands, pressing enter key after each one command. All .exe files in Windows folder with hidden characteristics are displayed. When the Windows is placed on a different location, create a correct substitution when typing in the 1st command. Search for a file with 10,240 bytes size. The filename is generated by getting the name of the PC on the infected system and altering some characters. Key in attrib -h and del then press Enter after each command. After that restart your computer and run a full system scan. Try to repair all files that are infected with the virus. If they can’t be repaired, you have to delete and restore them from a clean back up copy, or you can reinstall the deleted file.