x
48h OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
SPECIAL OFFER
If you're already a customer of
our homeusers protection,
renew now with a 50% off
RENEW NOW
x
HALLOWEEN OFFER
take advantage of our
terrific discounts
BUY NOW AND GET A 50% OFF
x
CHRISTMAS OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 40% OFF
x
SPECIAL OFFER
Buy the best antivirus
at the best price
BUY NOW AND GET A 50% OFF
x
BLACKFRIDAY OFFER
Buy the best antivirus
at the best price
TODAY ONLY UP TO 70% OFF
x
CYBERMONDAY OFFER
Buy the best antivirus
at the best price
(Only for homeusers)
TODAY ONLY UP TO 70% OFF
Active Scan. Scan your PC free
Panda Protection

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Orochi.3982

 
Threat LevelModerate threatDamageHighDistributionNot widespread
Common name:Orochi.3982
Technical name:W32/Orochi.3982
Threat level:Low
Type:Trojan
Effects:   It allows to get into the affected computer. It does not spread automatically using its own means.
Affected platforms:

Windows ME/98/95

Detection updated on:June 2, 2009
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies

Brief Description 

    
W23/Orochi.3982 is a Spanish virus that affects computers with Windows 98 and Windows NT. It has been created by HanKy; part of the virus creator group called H0l0kausT. It is an encrypted virus and its size is 3982 bytes. It is run on computers with Intel microprocessors which are capable of interpreting MMX instructions.

After infecting the computer, it activates itself on the 3rd of July. Then it will substitute the original MBR (Master Boot Record) by another one whose task is to delete the CMOS and flash-BIOS memory, if it exists. This is why W32/Orochi.3982 is considered to be a very destructive virus. Moreover, this virus has some anti-debugging and anti-antivirus techniques which makes it particularly difficult to detect.

Another characteristic worth noting is that W32/Orochi.3982 does not carry out infections on files if the system is running under Windows 95, as there is a especial Win32 API function which is not implemented in the nucleus of Windows 95.

Visible Symptoms 

    

The files are infected when the minutes in the system read 30. This infection is carried out on the C: D: E: F: G: and H: drives (if they exist). In other words, the virus affects all the drives of the computer.

After carrying out the infection, W32/Orochi.3982 remains in the system until its date of activation. In this case it is the 3rd of July. On activating it implements all its destructive payload.

  • Substitution of the original MBR (Master Boot Record) by its own code that helps it to carry out all the subsequent operations.

  • Deletion of the CMOS memory. Eliminates all the contents of this type of memory that include, among other things, the boot and system configuration settings.

  • Deletion of the Flash-BIOS memory. If it exists, W32/Orochi.3982 also deletes its contents.

When each of these objectives have been successfully attained, the infected computer is left completely disabled. It eliminates the boot sector of the hard disk contained in CMOS. To do this it uses the specific code for these types of actions, which is similar to the code used by other viruses such as W32/CIH.