Summary

The Feliz trojan appeared on the 1st of January 2000. This trojan is written in Delphi. Being run the trojan first outputs a dialog with a picture and a single button:



When the button is clicked the trojan looks for C:\Windows\ directory and if it is found outputs the final messagebox:



At the same time the trojan deletes the following files:

 C:\COMMAND.COM
 C:\WINDOWS\COMMAND\COMMAND.COM
 C:\WINDOWS\SYSTEM.DAT
 C:\WINDOWS\USER.DAT
 C:\WINDOWS\SYSTEM.INI
 C:\WINDOWS\WIN.INI
 C:\WINDOWS\SYSTEM.CB
 C:\WINDOWS\WIN.COM

Then the trojan passes control to the operating system. At this time the operating system becomes unstable and it will no longer start after next computer reboot.

If C:\Windows\ directory is not found by the trojan it will output a number of messageboxes and pass control to operating system without activating its payload.













[Analysis: Alexey Podrezov, F-Secure Corp.]