Win16.Klon.1177 Viruses Information
It is not a dangerous nonmemory resident parasitic Win16 virus.
The virus itself is Win16 executable file (NE EXE file) about 11-13Kb of length (depending on virus version). The virus is written in Turbo Pascal for Windows.
When the virus runs it looks for Win16 and Win32 EXE files (NE and PE) on available drives and infects them. While infecting the virus moves victim file body down, and writes its own code to the file beginning. To return control to host program the virus "disinfects" host file to temporary ".DLL" file and spawns it.
While processing the virus may also create its "droppers" (pure virus EXE code) in Windows system directory, the file names depend on virus version:
SYSTEM0.EXE, SYSTEM1.EXE, SYSTEM9.EXE ANTIA.EXE, ANTIB.EXE
Some of virus versions also register these files in WIN.INI file in auto-run section:
Depending on its "generation" and other conditions the viruses displays the message boxes:
Najemnik Virus Version 3.0
One of virus versions looks for active anti-virus programs by searching for following strings:
then moves this application window out of desktop and tries to terminate this application.
The viruses contains the text string:
"Klon.12800,13056": AntiAntiVirus AAV AntiAntiVirus AAV
Top Viruses Visited Pages:
Baboo - 675 visits
Invader. - 538 visits
Firstling.199 - 263 visits
Macro.Excel.Hidemo - 241 visits
Spartak.110 - 235 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 232 visits
Worm.P2P.Harex. - 225 visits
Coito.64 - 224 visits
Small.58. - 214 visits
DDoS.Win32.Kozo - 196 visits
Random Viruses Pages: