Home / malware Virus:Win32/Codplat.A
First posted on 27 July 2010.
Source: SecurityHomeAliases :
Virus:Win32/Codplat.A is also known as Trojan.HideDoc.1 (Dr.Web), W32.Phiskap.A (Symantec).
Explanation :
Virus:Win32/Codplat.A is a virus that infects document files. It deletes target files larger than a specified file size.
Top
Virus:Win32/Codplat.A is a virus that infects document files that have the following extensions:.DOC .DOCX .RTF Installation Virus:Win32/Codplat.A drops itself in the root folder (usually C:) as "ntsys.exe". It searches for the presence of the file "C:\NOTVIRUS.TXT" and quits if this text file is present. Spreads via... File infection Virus:Win32/Codplat.A searches for files to infect in the following folders and subfolders:C:\Documents and Settings C:\Program Files %windir% It searches these folders for target files with any of the following extensions:.DOC .DOCX .RTF The target document is encrypted and the virus body is appended to it. Virus:Win32/Codplat.A creates the folder "C:\Temp32\<random name>" when the infected file is opened. Virus:Win32/Codplat.A then decrypts the infected file and then opens it, possibly to mislead the user into thinking that the document is intact. Payload Deletes files Virus:Win32/Codplat.A deletes target files if they are larger than 10 MB. Additional information Virus:Win32/Codplat.A searches for the presence of the file "C:\Konstruktor.txt".
Analysis by Jaime WongLast update 27 July 2010
