A friend of mine recently got a virus and called me over to help remove it. Since this is an all too common scenario, I figured that I would dive into how a modern virus is written, as well as explain what it does in an effort to help you understand how complex these things have become. She had Trojan.Peed.Gen on her machine, and noticed that her computer had slowed down considerably and her internet seems much slower as well. Another telltale sign of this virus is that it there will be TONS of random, small files on your machine in almost every directory.

Trojan.Peed.Gen is formed by 2 components:
a) Main component. This is the main file (that contains the secondary component). Once it is executed it performs the following operations:
• It infects executable files. For every executable file, a new copy of the main viral file is created (with a random name and hidden attributes) in the same directory as the executable. This will increase the number of files on your hard drive.
• Every 4 seconds it enumerates all the windows from the system and close the ones that contain in there title name of antivirus products. It also closes processes like regedit or taskmgr.
• It searches email addresses on files smaller than 120k located on local disks. It filters some of the email addresses (that contains .gov, .mil, etc). It then sends itself via email. The subject may be one of the following strings:

The Time for Love	When You Fall in Love	Your Love Has Opened
I Love You with All I Am	My Love	Our Love is Free
Eternity of Your Love	I Love You Soo Much	Wrapped in Your Arms
Our Little Nest	Hugging My Pillow	The Dance of Love
Falling in Love with You	Why I Love You	A Kiss So Gentle
Miracle of Love	A Token of My Love	For You...My Love
Our Love Will Last	Inside My Heart	The Miracle of Love
Our Love is Strong	Love Remains	I am Complete
I Dream of you	Dream Girl	I Believe
Unmatchable Beauty	Baby, I'll Be There	Rose for my Love
I Love You So	I Love Thee	I'll Be Your Man
Will You?	Want You to Know	Internet Love
Only You	Passionate Kiss	Kiss Coupon
Breakfast in Bed Coupon	Romantic Picnic Coupon	Dinner Coupon
Massage Coupon	A Relaxing Coupon	Steamy Sex Coupon
Bubble Bath Coupon	Dream Date Coupon	A Day in Bed Coupon
Feeling Horny?	Kisses, Hugs & Roses	The Love Bugs
A Little (sex) Card	A Kiss for You	A Monkey Rose for You
I Woof You	We Are Different	You Are My Guiding Star
Puppy Love	You Rock Me!	Time Are Hard, I Luv U
Crazy way to say I Luv U	You Were Worth the Wait	Showers of Love
Can't Wait to See You!	You're My Hero	You Brighten My Day
Love at First Sight	The Mood for Love	I Love You Mower
A Romantic Place	We're a Perfect Fit	Love is in the Air
Emptiness Inside Me	Our Love Everyday	I Can't Function
5 Reasons I Love You	You Lucky Duck!	Peek-A-Boo
Last Night was Hot!	When I look at you	You are out of this world
Memories	Wild Nights--Wild Nights	I Think of You
A Bouquet of Love	I Would Give you Anything	Hold Me (distant love)
Between Us	In My Heart	From this day forward
You're Soo kissable	Angel of Love	Thinking about you
Love for Granted	How Much I Love You	A Hug & Roses
Summer Love	A Weekend Getaway	My Heart is Thinking
Moonlit Waterfall	Steamy Dream	My Heart belongs to you
Every Inch of Your Body	Our love is torn by miles	A Special Kiss
Won't you dance with me	A Red Hot Kiss	The Sweet Taste of Love
A Special Flower for You	Just You & Me	Till Morning's Light

Let me put it this way: That was only HALF of the subjects that it used! The mail will have as an attachment a file named : “Flash Postcard.exe”,” greeting postcard.exe” , “greeting card.exe” or “postcard.exe”;
• It may copy itself in %system% directory (usually with the name of alsys.exe). It will modify “HKLM\\SOFTWARE\Microsoft\\Windows\\CurrentVersion\\Run” adding a new key “Agent” that runs the file copied in the %system% directory. This will ensure that the virus is executed when Windows starts.
• It drops and executes a program that will install the second component (wincom32.sys)
b) Second component (wincom32.sys). This is a rootkit component that will hide itself and its configuration file wincom32.ini. The following key (HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wincom32) is created in order ensure that the driver is loaded when Windows starts. The “ini” file (wincom32.ini) contains a white list (a peers list of infected machine) and a black list. Wincom32.sys contains a secondary executable file that updates wincom32.ini. This executable can also download and run different files. It uses port 7871 UDP to communicate with other hosts (similar with a P2P network). It may receive commands to download from one of these hosts.
As you can see, computer viruses have become quite complicated. By combining a social engineering attack with the use of a rootkit to hide its existence, and common viral practices this is a scary thing indeed! Want to know what is really scary about this? This isn't anywhere near the worst case situation for a computer virus. The really nasty ones are designed to be completely stealth, latch on to critical OS files, and prevent deletion. Why would someone do this?
I will be writing a brief article about the motivations of the average malware author/group, but it boils down to money. What else right? Well, there used to be something else actually. These kinds of attacks used to be done for notoriety and respect. The fact of the matter is that there is alot of money to be made by doing this, and once the initial work is done, there is little left to do after the fact. In the impoverished parts of the world where these things tend to originate (currently the Russian territory and the Asian region) this is a fast way to make money. Don't look for it to end anytime soon.