PE_WEIRD.D, Virus.Win32.Weird.d, Virus:Win32/Weird_10240.C, W32/Kuang.gen, W32/Weird-D
Virus.Win32.Weird.c, Win32.Weird.c, W32/Kuang.gen, W32/Weird-C, Win32/Weird.10240.C
Category: Computer Virus
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
06 Jul 1999
The W32.Weird application is a virus that infects files in the Windows and Windows System folders. This virus is not a dangerous program it just creates a hidden process, which opens an IP address and listens for commands. This hidden process is identical to other server/client Trojan horses such as Back Orifice, Backdoor, and Net Bus.
W32.Weird Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W32.Weird from your computer.
More details about W32.Weird
W32.Weird is not a harmful memory resident-parasitic W32 virus. It just writes itself at the end of PE EXE files by modifying header fields of PE and increasing last file extension. The virus copies infected files that consists two parts. First is the starter, this is a short routine about 1 kb of data and code, the second is the virus code approximately 10 kilobytes in size that is encrypted with ridiculous encryption loop. Once infected file is executed, the starter controls and decrypts the second part, which is the main virus code. It drops it to the directory as PE EXE file and executes it. The main virus acts as a hidden Windows program and runs a low priority thread, which periodically scans directory trees on drives. I t would then look for PE EXE files and infects them. W32.Weird also affects EXPLORER.EXE. The virus infects the file and writes the rename instruction to WININIT.INI file in order to replace the original EXPLORER.EXE with infected copy on the next Windows start up.
To remove W32.Weird, insert a clean Windows Startup disk or DOS floppy disk into the floppy disk drive and restart your PC. At the prompt, type in “cd windows” and “dir *.exe /a:h” commands, pressing enter key after each one command. All .exe files in Windows folder with hidden characteristics are displayed. When the Windows is placed on a different location, create a correct substitution when typing in the 1st command. Search for a file with 10,240 bytes size. The filename is generated by getting the name of the PC on the infected system and altering some characters. Key in attrib -h and del then press Enter after each command. After that restart your computer and run a full system scan. Try to repair all files that are infected with the virus. If they can’t be repaired, you have to delete and restore them from a clean back up copy, or you can reinstall the deleted file.