Win32.ZHymn.a, W95/Zhymn.a, W32/ZHymn
Category: Computer Virus
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
09 Nov 2000
THe W95/Ussrhymn program infects files in Windows 95 or Windows 98 systems. The virus is based on W95.Bistro, but doesn’t include the features, which W95.Bistro made so difficult to detect. The virus infects PE files and adds an infected .exe into .rar and .zip archives files. It as well alters Wsock32.dll and contains support for files UUEncoded.
W95.Ussrhymn Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W95.Ussrhymn from your computer.
More details about W95.Ussrhymn
Once an infected file is executed, W95/Ussrhymn gains control by using a modified entry point that will point somewhere in the primary section of a file program. The virus will insert its code at the start of the first section then shifts down its code which was already there originally, focusing to the location information in that part. The virus starts with a time wasting loop in order to force 32 bit code emulators to stop prior to finding the virus. The virus utilizes various APIs from Advapi32.dll, Kernel32.dll, and Winmm.dll. The API names aren’t stored in the virus. It uses only check sums of the APIs it requires to call, but doesn’t store the addresses anywhere in itself. Instead, it gets the addresses repetitively, as usual as a function is called.
The W95.Ussrhymn software can send information about the system to the remote server. An FTP (File Transfer Protocol) connection or an embedded e-mail engine can be used to send the data. The user’s activities may be monitored and recorded. Keylogger functions can be used to capture data entered into the system. Stolen information can include passwords, banking information, whole documents and personal and financial data. These can be used to commit fraud or steal the user’s identity.