Aliases: Win32.ZHymn.a, W95/Zhymn.a, W32/ZHymn
Variants: PE_USSRHYMN.A, Win32.Zombie.19986

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 09 Nov 2000
Damage: high

Characteristics: THe W95/Ussrhymn program infects files in Windows 95 or Windows 98 systems. The virus is based on W95.Bistro, but doesn’t include the features, which W95.Bistro made so difficult to detect. The virus infects PE files and adds an infected .exe into .rar and .zip archives files. It as well alters Wsock32.dll and contains support for files UUEncoded.

More details about W95.Ussrhymn

Once an infected file is executed, W95/Ussrhymn gains control by using a modified entry point that will point somewhere in the primary section of a file program. The virus will insert its code at the start of the first section then shifts down its code which was already there originally, focusing to the location information in that part. The virus starts with a time wasting loop in order to force 32 bit code emulators to stop prior to finding the virus. The virus utilizes various APIs from Advapi32.dll, Kernel32.dll, and Winmm.dll. The API names aren’t stored in the virus. It uses only check sums of the APIs it requires to call, but doesn’t store the addresses anywhere in itself. Instead, it gets the addresses repetitively, as usual as a function is called.

The W95.Ussrhymn software can send information about the system to the remote server. An FTP (File Transfer Protocol) connection or an embedded e-mail engine can be used to send the data. The user’s activities may be monitored and recorded. Keylogger functions can be used to capture data entered into the system. Stolen information can include passwords, banking information, whole documents and personal and financial data. These can be used to commit fraud or steal the user’s identity.