SECURITY INFO
Latest Threats
Spyware
Spam
Phishing
Hoaxes
PandaLabs
Virus map
Panda Virusometer
TRAINING
General concepts
Technical details
Virus FAQs
Practical tips
DOWNLOADS
Repair utilities
Does my antivirus work?
ActiveScan Pro
Free Antivirus
HOME
What is VirusPortal?
Newsletters
HOME SECURITY INFO TRAINING DOWNLOADS WEBMASTERS
Security Info / Virus encyclopedia / At a glance
Find:    in:  
 

 Tuareg
Threat Level:  Low
Distribution:  Low
Damage: High
The Threat Level varies according to the Distribution and Damage levels
 
  Effects
 

Tuareg has the following effects:

  • It infects files with the following extensions: EXE (programs), SCR (screensavers) and CPL (some Windows Control Panel units).

    As a result, of infecting the EXE files    , some of the programs in the infected computer may be damaged.
  • It changes the home page of the browser Internet Explorer to www.thehungersite.com.
[ top ]  

  Means of infection
 

Tuareg modifies the following entries in the Windows Registry so that it can change the home page of the browser:

  • HKLM\ Software\ Microsoft\ Internet Explorer\ Main Start Page
    To change the home page of Internet Explorer.
  • HKLM\ Software\ Netscape\ Netscape Navigator\ Users\
    To change the home page of Netscape Navigator.

Tuareg follows the infection routine below:

  • It stops the functions of the system library Kernel32 (core of the operating system), such as find, open, close, copy, and rename files
  • Tuareg goes memory resident as part of the process to which the infected program belongs. This program acts as a host for the virus.
  • In order to infect a file, Tuareg encrypts its code and add it to the end of the file that it is infecting.
  • Then, it encrypts a part of the initial code of the infected program, and adds it up to it the body of its code (already encrypted), at the end of the file, where the original details of the host were.
  • Tuareg uses a polymorphic decryption routine. This routine will restore the encrypted code of the infected file and of the virus, when the infected program is run.
  • The polymorphic encryption engine may also include calls to Windows internal functions (API). The decryption is not a linear process, but rather a pseudo-random one (the routine decrypts non consecutive DWORDs).
[ top ]  

  Means of transmission
 

Tuareg does not use any specific means of to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloadsFTP, etc.

[ top ]  

  Other details
 

Other interesting characteristics of Tuareg are:

  • Once it is decompressed, the following text can be read:
    [Virus TUAREG v1.2 by The Mental Driller/29A] - This virus has been designed for carriying the TUAREG engine
  • The virus code contains the names of some commercial antivirus programs, from which it tries to protect itself:
    AVP.CRC
    ANTI-VIR.DAT
    CHKLIST.MS
    IVB.NTZ
[ top ]  
Last updated:  Dec. 1, 2000 

 

  © Panda 2009 | Free Antivirus | Make this your home page | Bookmark this page | Send page | Contact us | Legal notice | Privacy Policy