Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- June 29, 2001
- Updated:
- February 13, 2007 11:46:04 AM
- Type:
- Trojan Horse
This is a memory-resident Trojan horse. It has an icon that makes it look like an ordinary text file. Every 10 minutes, it checks for a disk in drive A. If it finds one, it deletes as many files as is necessary to ensure enough space on the disk to copy both itself and another necessary, larger file to the disk.
The Trojan deletes the following files, and replaces them with copies of itself: Attrib.exe, Edit.com, Format.com, Deltree.exe, Ed.cab, Mscdex.exe, Appwiz.cpl, Attrib.com, and Deltree.com.
The Trojan can also change its file name to one of 18 different names, such as Readme.exe, Texto.exe, and so on. The first time that it is run, it starts Notepad and displays the email address of the Trojan author. The Trojan adds a value to the registry so that it is run when Windows starts. The 30th time that the Trojan is activated, it deletes all files on the drive C, and displays a message box titled Uruguay that contains the text Billrus.
Antivirus Protection Dates
- Initial Rapid Release version June 29, 2001
- Latest Rapid Release version August 20, 2008 revision 017
- Initial Daily Certified version June 29, 2001
- Latest Daily Certified version August 20, 2008 revision 016
- Initial Weekly Certified release date pending
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Difficult
Damage
- Damage Level: High
Distribution
- Distribution Level: Low
Writeup By: SARC Engineer
