Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
Win95.Bonk famil Viruses Information

Name: Win95.Bonk famil
Category: Viruses
Description: Details
Win95.Bonk family

These are dangerous memory resident parasitic Windows95/98 viruses. They install themselves into the Windows memory and write themselves to the PE EXE files that are opened. The viruses have a bug and replicate only under specific environment, otherwise they halt the system. The viruses contain the text string:
[BONK32] by Vecna/29A

They also write the "BONK" ID-text to the file PE header (to the CheckSum field). To prevent duplicate infection the viruses test the file header for this text before infecting it.
The viruses use several tricks while installing memory resident and while infecting files. The viruses allocate the memory and install themselves into the VxD area (Ring0) by using the method similar to the "Win95.CIH" . Being run in the Ring0 the viruses hook IFS API calls, intercept file opening, compare file extension with EXE and calls infection routine.
While infecting a file the viruses use two different ways to patch the program's entry address: they either modify the entry address field in the PE header, or patch the original entry routine with JMP_Virus instruction. The second way is selected only in case there are no relocated address at program's entry.
The viruses write their code to two parts in the file. The first part of virus code (entry routine - about 200 bytes) is saved to the file header, the main part of virus code is written to the end of the file. This second part is written as the "overlay": the viruses do not modify the PE header to attach this code to the infected file's code and force Windows to load this code when an infected file is executed. To access this second part the virus entry routine opens the host file, seeks to the file end and reads the main virus code from there.
To make file disinfection more complex, the viruses encrypt a part of host file (100h bytes at file entry) and do not store the encryption key. To restore the original host data before return control to the host program the viruses calculate the CRC of host block and store it. To decrypt host data the viruses try all possible keys, decrypt, calculates the CRC and checks it. If the CRC meets the original one, the viruses return to the host entry routine.



Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Normal.76
Radish.844
Macro.Word.Waverle
Win32.Andra
Wench.253
I-Worm.Magold.
Net-Worm.Win32.Mytob.b
Helga.666.
Crocodiles.159
Macro.Word.N


 

© 2006-2008 spyware32.com - Privacy Policy