Weird is a not dangerous memory resident parasitic Win32 virus.
It writes itself to the end of PE EXE files (Windows executable)
by increasing last file section and modifying PE header fields.
The virus copy in infected files consists of two parts. First
part (starter) is a short routine (about one kilobyte of code and
data), the second part is the main virus code (about 10Kb of
size) encrypted with silly encryption loop.
When the infected file is executed, the starter takes control,
decrypts the second part of virus code, drops it to Windows
directory as a PE EXE file with random name and executes it. The
main virus instance stays memory resident as a hidden Windows
application, runs a low priority thread that periodically scans
drives' directory trees, looks for PE EXE files and infects them.
The virus also affects the EXPLORER.EXE file. It copies it with
the EXPLORER.E name, infects this copy and writes the [rename]
instruction to the WININIT.INI file to replace original
EXPLORER.EXE with infected copy on next Windows startup.
The virus has a backdoor ability. When it is active as a Windows
application it opens Internet connection and waits for specific
calls from there. The virus has a lite list of supported commands
comparing to other known backdoors, but it allows to upload,
download, execute and delete files on the infected machine from
remote host.
