|
|
Win95.Marburg. Viruses Information
| Name: |
Win95.Marburg. |
| Category: |
Viruses |
| Description:
|
Details
Win95.Marburg.a
this text was written with the help of Peter Szor, Data Fellows
This is a direct action (nonmemory resident) Windows95 polymorphic virus. It affects PE EXE (Portable Executable) files which it searches in current, Windows and System directories. Because of bugs the virus is not able to replicate under Windows NT, so it is Windows95 specific virus.
When an infected file is executed, the virus searches for KERNEL32 routines: first for GetModuleHandleA and GetProcAddress, then for 22 more functions (see the list below). While searching the virus uses method similar to "Win32.Cabanas" virus: while infecting a file the virus scans file's imported table for GetModuleHandleA and GetProcAddress, and saves these addresses in virus code. If there are no entries in table, the virus scans KERNEL32 code.
If the virus is not able to locate KERNEL32 functions, it immediately returns to the host file. Otherwise it allocates a block of system memory, copies its code to there (that's necessary to run virus polymorphic engine), then searches for files and infects them.
While infecting a file the virus writes its code to the end of file into the last section, increasing its length beforehand. Before saving its code to the file the virus encrypts it by polymorphic routine (the polymorphic engine is very similar with one that was found in "Win95.HPS" virus). Depending on file structure the virus also does some tricks to make virus detection and disinfection procedures more complex: either replaces entry point address in the PE header with its own one (majority of Win32 viruses infect files in this way), or saves JMP_Virus instruction to the file entry address and does not modifies it in the PE header (in same way as "Win32.Cabanas" virus does), or writes to the entry point a polymorphic junk routine that is followed by JMP_Virus instruction.
Before infecting the virus deletes anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS, AVP.CRC, IVB.NTZ. While infecting the virus checks file names and does not infect files that have 'V' letter in name as well as anti-viruses PANDA, F-PROT, SCAN.
Depending on the system date (when infected file is executed in three month during the same hour as being infected) the virus displays at random selected positions on the screen the standard Windows error icon - white cross in a red circle.
The virus contains the text strings (the first block contains the list of functions that virus is looking for):
GetModuleHandleA GetProcAddress CreateFileA CreateFileMappingA
MapViewOfFile UnmapViewOfFile CloseHandle FindFirstFileA FindNextFileA
FindClose VirtualAlloc GetWindowsDirectoryA GetSystemDirectoryA
GetCurrentDirectoryA SetFileAttributesA SetFileTime DeleteFileA
GetCurrentProcess WriteProcessMemory LoadLibraryA GetSystemTime GetDC
LoadIconA DrawIcon
[ Marburg ViRuS BioCoded by GriYo/29A ]
KERNEL32.dll USER32.dll |
Top Viruses Visited Pages:
Invader. - 231 visits
not-a-virus:RiskWare.Tool.RegPatch. - 69 visits
Worm.P2P.Harex. - 63 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 55 visits
Small.58. - 55 visits
Coito.64 - 53 visits
I-Worm.Mapson. - 45 visits
Win16.Klon.1177 - 41 visits
Win32.Hidra - 41 visits
Marine.500 - 34 visits
Random Viruses Pages:
Pepper Famil
Trojan-Downloader.Win32.Small.bd
Nafigator.99
Bomzh.380
Trojan.Win32.DiskAdmi
Worm.Win32.Eyeveg.
Search.41
I-Worm.Linon
Ton
Win32.Doser.418
|
|
