| Description:
|
Details
Win32.Evol.a
This is a family of parasitic polymorphic per-process memory resident Win32 viruses. When an infected file is executed, the viruses run an infection routine as a separate thread that searches and infects files in the background up to the moment the host program exits.
The viruses infect Win32 PE executable files with .EXE and .SCR extensions. First of all, they infect EXE and SCR files in the Windows directory and subdirectories. Then they scan all fixed drives on a local machine and infect files in there. Then they scan and infect remote drives, then they enumerate network resources (shared network drives) and infect them also. As a result, the viruses are able to infect most Win32 executable files on a local machine as well as spread themselves through the local network.
Before infection, the viruses check a file name and do not infect the following anti-virus programs: ALERT, AMON, AVP, F-PROT, NAV, SCAN.
While infecting, the virus gains a file entry routine address, moves a block of code from there to the end of the file and writes its code to the file's entry routine address. To release control to the host file, the virus reverses infection: reads host block of code from file end and puts it to the original file entry address.
The viruses use quite a complex polymorphic engine that in some cases rebuilds the virus code. In different infected files, there are different assembler instructions or other sets of instructions used to do the same operations. As a result, the virus is not encrypted, but it doesn't have enough long constant parts of code and the length of virus code is changed. |
