| Description:
|
Details
Win32.Cerebrus.1482
This is a direct action (nonmemory resident) parasitic Windows infector. It infects files of any new format - Windows formats NE (Windows 3.xx), PE (Portable Executable), as well as LX (Linear executable), but is able to replicate itself only under Windows32 because is has PE format and imports Windows32 functions.
When an infected file is executed, the virus takes control, searches for Windows .EXE files in current directory and writes itself to the end of the file. While infecting the virus does not modifies PE header at all, the infection way is based only on DOS Stub header: the virus writes to there new file offset of PE header (virus PE header). As a result the infected file has three parts: first part is original DOS stub, the second part is host PE data (not modified), third part is virus code and.
The virus has PE file structure: it contains PE header, section headers, import table, code and data sections. The modified DOS stub in infected files points to virus PE header instead of original ones. As a result, Windows32 while executing infected files reads and runs virus code instead of host one.
To return to host program the virus creates a copy of infected file with EVE extension, disinfects it (just restores file offset of PE header) and spawns. The virus do not deletes these "temporary" files, so after executing an infected program they stay on disk in the same directory as infected file.
The virus has a trigger routine that just beeps by PC speaker when virus takes control. The virus contains the text strings, the first one is block of names that the virus imports from KERNEL32 and USER32:
ExitProcess Beep GetCommandLineA CreateProcessA CopyFileA CreateFileA
SetFilePointer ReadFile WriteFile CloseHandle FindFirstFileA FindNextFileA
FindClose GetFileSize WinExec
MURKRY/IkX
CEREBRUS
The three head guardian, is in your computer, fear no more
*.EXE |
