Win32/Girigat [Threat Name] go to Threat

Win32/Girigat.AA [Threat Variant Name]

Category virus
Detection created Sep 29, 2014
Detection database version 10483
Aliases Virus.Win32.Giri.4937.a (Kaspersky)
  Win32.Girgat.4937 (Dr.Web)
  W32.Giri (Symantec)
  Win32:Giri (Avast)
Short description

Win32/Girigat.AA is a file infector.

File infection

Win32/Girigat.AA is a file infector.

The virus infects files with the following extensions:

  • .exe
  • .scr
  • .cpl

Executables are infected by appending the code of the virus to the last section.

The host file is modified in a way that causes the virus to be executed prior to running the original code.

The virus infects files in the current folder.

It infects files stored in the following folders:

  • %windir%

The size of infected files is increased by 4937 - 5448 bytes.

Other information

The virus may create the following files:

  • C:\­Girigat.bmp

The virus may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "Wallpaper" = "c:\­Girigat.bmp"
    • "TileWallpaper" = "0"
    • "WallpaperStyle" = "0"
  • [HKEY_CURRENT_USER\­Control Panel\­Colors]
    • "Background" = "0 0 0"

The virus hooks the following Windows APIs:

  • CreateFileA (kernel32.dll)
  • CreateFileW (kernel32.dll)
  • FindFirstFileA (kernel32.dll)
  • FindFirstFileW (kernel32.dll)
  • FindNextFileA (kernel32.dll)
  • FindNextFileW (kernel32.dll)

The virus may display the following dialog windows:

Please enable Javascript to ensure correct displaying of this content and refresh this page.