Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
Win95.Dupator.150 Viruses Information

Name: Win95.Dupator.150
Category: Viruses
Description: Details
Win95.Dupator.1503

This is a harmless memory resident parasitic Win32 virus. It infects Win32 PE EXE files and also infects KERNEL32.DLL Windows system files. The virus does not manifest itself in any way. Because of a bug, the virus does not work on WinNT machines.
While infecting a file, the virus creates a new PE section at the end of the file and writes its code to there. In the case of applications, the virus then modifies a program's start-up address, and in the case of KERNEL32.DLL, the virus patches the export table (see below). The virus section in infected files has the "DUPATOR!" name, and this string may be used for manual detection of the infected files.
When an infected program is run, the virus takes control and infects the KERNEL32.DLL file. To do this the virus copies this file from the system Windows directory (where this file is located by default) to the Windows directory, for example:
WINDOWSSYSTEMKernel32.Dll -> WINDOWSKernel32.Dll
WINNTSYSTEM32Kernel32.Dll -> WINNTKernel32.Dll

and infects this copy. While infecting, the virus patches the KERNEL32.DLL Export table so that the GetFileAttributesA function points to the virus code in the infected KERNEL32.DLL file. The virus then returns control to the host program and is not active anymore.
The virus infection routine is then activated only when an infected KERNEL32.DLL is loaded into the Windows memory (upon the next Windows start-up). The GetFileAttributesA function points to virus code, so the virus does not need to perform any additional actions to stay in the Windows memory - it stays memory resident as a part of KERNEL32.DLL and hooks the file-attributes reading routine. When this call is performed by any applications, the virus infects corresponding file in case it has PE EXE format.



Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Logen.115
Snotkop.47
Bandersnatc
Helga.666.
Algerian.140
Minima
Mep.29
Nazgul_II.236
Win32.Rikenar.148
Amt.300


 

© 2006-2008 spyware32.com - Privacy Policy