| Description:
|
Details
Win32.Heretic
It is a harmless memory resident parasitic Windows virus. It replicates under Windows95/98/NT and infects PE EXE files as well as KERNEL32.DLL. The virus installs itself memory resident, hooks system events, and then writes itself to the end of PE EXE files that are executed.
When an infected file is executed, the virus gets control, scans the system kernel memory (export table in KERNEL32.DLL) and gets addresses of necessary Windows functions that are then used to affect Windows files (CloseHandle, CopyFileA, CreateFileA, CreateFileMappingA, etc).
The virus runs its installation routine by two steps. First of all it affects the KERNEL32.DLL file in the Windows system directory and then releases control to the host program. On next reboot, when Windows loads the infected KERNEL32.DLL file, the virus stays memory resident as a part of KERNEL32 and activates its PE EXE infection routine.
While infecting KERNEL32.DLL the virus writes itself to the end of the file and patches the Export table. Two functions are redirected to virus code: CreateProcessA and CreateProcessW.
To get write permission to KERNEL32.DLL (that can be opened in read-only mode when Windows is run) the virus uses an "update" trick. It copies KERNEL32.DLL from Windows system to Windows root directory and infects it there. The copy of KERNEL32.DLL is not active, so the virus is able to write to there. To replace original KERNEL32.DLL with infected one the virus registers it as an "update" by special Windows function. As a result on next rebooting Windows will accept this function and "update" KERNEL32.DLL - replace original KERNEL32.DLL with infected one.
When the virus is run as part of KERNEL32.DLL, it hooks CreateProcessA and CreateProcessW functions and as a result intercepts files execution. When PE EXE files are executed the virus infects them. While infecting PE EXE file the virus uses traditional way: increases the size of last file section and appends its code to there, and then modifies program's entry point address.
The virus does not manifest itself in any way. It contains the text strings:
[nop] 4 life.. lapse, vg and jp own you! :)
[Heretic] by Memory Lapse
For my thug niggaz.. uptown baby, uptown. |
