Home / malwarePDF  

Virus:Win32/Codplat.A


First posted on 27 July 2010.
Source: SecurityHome

Aliases :

Virus:Win32/Codplat.A is also known as Trojan.HideDoc.1 (Dr.Web), W32.Phiskap.A (Symantec).

Explanation :

Virus:Win32/Codplat.A is a virus that infects document files. It deletes target files larger than a specified file size.
Top

Virus:Win32/Codplat.A is a virus that infects document files that have the following extensions:

  • .DOC
  • .DOCX
  • .RTF
  • Installation Virus:Win32/Codplat.A drops itself in the root folder (usually C:) as "ntsys.exe". It searches for the presence of the file "C:\NOTVIRUS.TXT" and quits if this text file is present. Spreads via... File infection Virus:Win32/Codplat.A searches for files to infect in the following folders and subfolders:
  • C:\Documents and Settings
  • C:\Program Files
  • %windir%
  • It searches these folders for target files with any of the following extensions:
  • .DOC
  • .DOCX
  • .RTF
  • The target document is encrypted and the virus body is appended to it. Virus:Win32/Codplat.A creates the folder "C:\Temp32\<random name>" when the infected file is opened. Virus:Win32/Codplat.A then decrypts the infected file and then opens it, possibly to mislead the user into thinking that the document is intact. Payload Deletes files Virus:Win32/Codplat.A deletes target files if they are larger than 10 MB. Additional information Virus:Win32/Codplat.A searches for the presence of the file "C:\Konstruktor.txt".

    Analysis by Jaime Wong

    Last update 27 July 2010

     

    TOP