Classification

Category :

Malware

Type :

Virus

Aliases :

Burglar, Grangrave

Summary

This virus infect EXE programs when they are accessed or executed. In addition to that, Burglar searches for new victims and infects them when the 'file attribute change' function (used by ATTRIB) and 'get free disk space' function (used by DIR and many other commands) are called.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Burglar has stealth features: it will hide the change in the size of the infected files when viewed with the DIR command.Every time the virus is infecting files, it checks the time. If the minute field is 14, the virus activates and writes a flashing message in the top left corner of the screen:

Burglar/H

The virus contains also an unencrypted text which is never showed:

AT THE GRAVE OF GRANDMA

Burglar has anti-heuristics mechanisms. Burglar checks for and does not infect Windows programs or programs which contain 'V' or 'S' in the file name (covering programs like VIRSTOP, SCAN, VSHIELD, MSAV, NAV, CPAV etc).Since Burglar is resident, a clean boot is necessary before disinfecting and infected hard drive. Burglar contains programming error, which cause it to occasionally corrupt EXE files. Such programs do not work and they can not be disinfected.Burglar contains several bugs, and it can cause problems with several memory managers.Burglar was found in the wild internationally in January 1996. It has been spread in an infected version of a demo called 'Dawn', in a copy-protect crack for a game called Dune 2 and in a pirated beta of PKLite v2.00.