| Description:
|
Details
Win95.Yurn
This virus infects Windows95 PE EXE files (Portable Executable) and KERNEL32.DLL system file. While infecting the virus writes itself to the end of the file: increases the size of last PE section, writes itself to there and modifies the file PE header. To take control while execution the virus modifies the program EntryPoint address. While infecting KERNEL32.DLL the virus uses more complex way: it looks for GetFileAttributesA public routine and patches it with CALL_Virus instruction. As a result the entry point address in case of KERNEL32.DLL stays the same, but the virus takes control when applications access file attributes.
When an infected PE EXE file is executed, the virus scans Windows95 kernel and searches for eleven routines:
GetTickCount, GetWindowsDirectory, SetFileAttributes, CreateFileA,
SetFilePointer, ReadFile, WriteFile, FindClose, GetSystemDirectoryA,
GetFileAttributesA, CopyFileA
The virus then uses addresses of these routines while searching for files and infecting them. To call these routines the virus does direct calls to Windows95 kernel.
The virus then locates the KERNEL32.DLL file in the SYSTEM directory, copies it to the WINDOWS directory (usually this directory is patent for SYSTEM subdirectory) and infects newly created file. The virus then returns control to the host program.
When infected KERNEL32.DLL is loaded the virus stays in Windows95 memory as a part of kernel and hooks GetFileAttributesA calls. When PE EXE files are accessed with that call, the virus infects them.
The virus has bugs and may corrupt files and halts the system while infecting. The virus contains the text string:
* [YURN] by Virogen *
KERNEL32.DLL |
