|VIRUS NAME: W32/Chiton
W32/Chiton is a family of viruses which are direct file infectors. After running a single infected file, the virus will infect files in the current directory and subdirectories. Targets files are 32bit PE (Portable Executable) files, such as .EXE and .DLL. In the family we can find:
W32/Chiton.a (alias Chthon)
W32/Chiton.b (alias Shrug)
W32/Chiton.c (alias Out812)
W32/Chiton.d (alias Efish)
W32/Chiton.e (alias Gemini)
Under NT/2000/XP platforms, W32/Chiton.a & W32/Chiton.b are able to infect .EXE files via a Thread Local Storage call. It seems to be the first viruses using this replication technique.
W32/Chiton.a drops a file called "CHTHON.EXE" in the "\windows" directory. For example \windows\chthon.exe on win9x based systems, and \winnt\chthon.exe for Win2000 based systems. The filesize of this dropped file is 2387 bytes.
W32/Chiton.c drops a file called "VB6ENG.DLL" in the "\windows" directory. Its filesize is 2094 bytes.
W32/Chiton.e drops a file called "GEMINI.EXE" in the "\windows" directory. its filesize is 2788 bytes. The viral process is visible in the task manager as "gemini".
32 bit PE type files (.EXE .DLL) have appended or inserted viral code. A and E variants are not crypted and the string "roy g biv" is visible.
Method Of Infection
Manually running an infected file activates the virus.