This virus infects executable files, is written in Delphi, and is approximately
43872 bytes in size.
Installation
When the virus is launched, it copies itself to the %SYSTEM%\SVCHOSTV\ directory
as SVCHOST.EXE. It then adds a link to this file in the system registry. This
ensures the virus will be launched each time the infected system is rebooted.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SVHOST" = "C:\WINDOWS\System32\SVCHOSTV\SVCHOST.EXE"
It also copies itself to %SYSTEM%\SVCHOSTV\SVCHOSTV\Vshell??\1.exe. ?? will
be replaced by a hexadecimal number.
Infection routine
Once installed, the virus will start searching the hard disks for executable
(*.EXE) files. It infects files by writing its code to the beginning of these
files. Programs infected by the virus will be 438272 bytes larger than the original
file size.
Other
The virus creates a text file named NSASABDox.drv in the system directory
which shows the date the virus was first launched.
From time to time, the virus may hide the Start button, the control panel
or other windows, cause the CD-ROM drive to open independently etc.
The virus creates and launches a command file named diablo.bat with the following
contents:
shutdown -s -t 30 -c "Hi, I am Death. I Want to send the enormous hello:
Oxy, Alke, Punk-y Dashe and others Goblinam. P.S.( Bye "Hacker", you possible
can not restart computer)" -f
It causes a Russian text to be displayed on the screen. The first line of
the text contains the English words
"Hello, " [...]". This is Death."
9 days after the virus is first launched, it causes a window with another
Russian text to be displayed. The first line of the text is in English:
"DeathDangerCompany"
It will then start to delete files from all disks.
Check out if we have free removal tool for this virus
