Welcome to the Virus Encyclopedia of Panda Security.
It allows to get into the affected computer.
It does not spread automatically using its own means.
|Detection updated on:||June 2, 2009|
|Yes, using TruPrevent Technologies
| W23/Orochi.3982 is a Spanish virus that affects computers with Windows 98 and Windows NT. It has been created by HanKy; part of the virus creator group called H0l0kausT. It is an encrypted virus and its size is 3982 bytes. It is run on computers with Intel microprocessors which are capable of interpreting MMX instructions.|
After infecting the computer, it activates itself on the 3rd of July. Then it will substitute the original MBR (Master Boot Record) by another one whose task is to delete the CMOS and flash-BIOS memory, if it exists. This is why W32/Orochi.3982 is considered to be a very destructive virus. Moreover, this virus has some anti-debugging and anti-antivirus techniques which makes it particularly difficult to detect.
Another characteristic worth noting is that W32/Orochi.3982 does not carry out infections on files if the system is running under Windows 95, as there is a especial Win32 API function which is not implemented in the nucleus of Windows 95.
The files are infected when the minutes in the system read 30. This infection is carried out on the C: D: E: F: G: and H: drives (if they exist). In other words, the virus affects all the drives of the computer.
After carrying out the infection, W32/Orochi.3982 remains in the system until its date of activation. In this case it is the 3rd of July. On activating it implements all its destructive payload.
Substitution of the original MBR (Master Boot Record) by its own code that helps it to carry out all the subsequent operations.
Deletion of the CMOS memory. Eliminates all the contents of this type of memory that include, among other things, the boot and system configuration settings.
Deletion of the Flash-BIOS memory. If it exists, W32/Orochi.3982 also deletes its contents.
When each of these objectives have been successfully attained, the infected computer is left completely disabled. It eliminates the boot sector of the hard disk contained in CMOS. To do this it uses the specific code for these types of actions, which is similar to the code used by other viruses such as W32/CIH.