| Description:
|
Details
Win32.Mental
This is a dangerous per-process memory resident parasitic and polymorphic Win32 virus. The virus looks for PE EXE files with .EXE, .SCR, and .CPL extensions in current, Windows and Windows system directories and infects them. While infecting a file, the virus encrypts and writes its code to the Relocation section (Fixup table - usually at the end of the file), and the decryption polymorphic loop is written to the file middle to the Code section.
The virus then scans the Import table and hooks file access functions (file creating, opening, searching, moving, executing etc.). The virus' hookers obtain a file name and run the infection routine. As a result, during an infected application's "life time," the virus is active, intercepts access to PE EXE files, and infects them.
The virus' polymorphic generator has a very serious bug that in some cases causes damage to infected files. As a result, these files are not functional, and Windows displays a standard message about an error in application when these files are run.
The virus deletes the following anti-virus data files: AVP.CRC, ANTI-VIR.DAT, CHKLIST.MS, and IVB.NTZ. It also does not infect files that have the letter 'V' in the file name as well as files (anti-virus programs) with names that begin with: TB, SC, F-, PA, DR.
The virus has two infecting routines that are activated on the 17th of March, June, September and December. The first routine covers the screen with "NAZKA" placed at random positions on the screen. The second routine displays the following message box:
Virus NAZKA
(c) Virus NAZKA by The Mental Driller / 29A |
