Zori is a virus that infects executable files. It is written in Delphi.
Once launched, the virus copies itself to the \WINDOWS\%SYSTEM%\SVCHOSTV\ with the name SVCHOST.EXE and creates a copy of the auto-run key in the system registry to ensure it launched each time the operating system starts:
"SVHOST" = "C:\WINDOWS\System32\SVCHOSTV\SVCHOST.EXE"
It also creates its copy in the folder \WINDOWS\%SYSTEM% \SVCHOSTV\SVCHOSTV\VShell??\1.exe where characters ?? are replaced by a hexadecimal number.
Once installed, the virus starts to search for executable files stored on the hard drives available. The worm infects these files by adding your own code in their initial parts. Once infected, the file size increases by 438,272 bytes.
The virus creates a folder \Windows\System text file named NSASABDox.drv and writes the date of its launch.
In certain circumstances, the virus can hide the button to open the Windows Start menu, control panel, or other components of the operating system, as well as open the tray of the CD-ROM drive.
The virus creates and runs a batch file named diablo.bat consisting of the following commands:
shutdown-s-t 30-c "Hi, I am Death. I Want to send the enormous hello: Oxy, Alke, punk-y Dashe and others Goblin. PS (Bye "Hacker", you possible can not restart the computer) "-f
It displays on the screen the Russian text, the first line is written in English:
Hello, "[...]". This is Death.
After the end of nine days from the first time the virus appears on the screen again and again the Russian text, the first of his line is written in English:
The worm then deletes all files from all available drives.