| Description:
|
Details
Win32.Highway
It is a harmless nonmemory resident parasitic Windows virus. It searches for PE EXE files in the current and Windows directories, then writes itself to the end of the file. While infecting the virus increases the size of last file section for its code, patches the Import Table to get access to necessary Windows functions and modifies the program's startup address.
To run its infection procedure the virus creates the HIGHWAY.DLL file in the Windows system directory, writes its code to there and runs this file.
Under Win95/98 the virus procedure is activated only on infected programs startup. Under WinNT the virus installs itself into the system so that its DLL is activated each time any programs starts. To do that the virus creates the registry key:
SOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLS
and set it to "HIGHWAY.DLL". The effect is that after the next reboot, at each application init, the virus DLL will be loaded in the application address space, meaning that when a program is executed, the virus will try to infect each EXE file in the current directory and Windows directory (thanks to Adrian Marinescu, GeCAD Software, who located this trick in the virus code).
The virus does not manifest itself in any way, different versions of the virus contain the texts:
"Highway.a": Can a road be a prision?
"Highway.b": Ser a estrada uma pris?o? |
