Aliases: W32/Zori.B, W32/HLLP.Zori
Variants: PE_ZORI.E-O

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 31 Mar 2005
Damage: High

Characteristics: The W32.Zori.B program is a virus that binds itself to executables files. It spreads through shared files on Windows and delete all files from the infected computer’s disks nine days after the original infection.

More details about W32.Zori.B

The W32.Zori.B is an infecting virus written in Delphi language. It attacks system files of a Windows platform. It searches the system for Windows executable files. It then binds itself to the executable files found on the computer, and multiplies by spreading through network shares. Infected files increase by 623,116 bytes in file size. It has the capability to prevent system files from being run which results to a slow and unresponsive system performance. The W32.Zori.B virus will corrupt and delete all the files in the compromised system nine days after it has been first infected, making the device completely unusable.

When the W32.Zori.B virus has been activated, it creates and opens an image file named andylau.bmp. It then creates a copy as an executable file and binds itself to the infected system’s registry. When this happens, the W32.Zori.B is launched every time Windows starts. Then the virus creates a registry entry called mysoft as an infection marker. After which, it opens a backdoor on TCP port 1879 and communicates to a domain to listen for a command from the attacker. This virus prevents several system files from being launched such as pfw.exe, kvfw.exe, and KAVPFW.EXE when the system is started.