| Description:
|
Details
Win95.Invir.7051
This is a relatively harmless memory resident parasitic polymorphic Win9x virus. The virus uses Win9x specific calls, and infected files can't work under WinNT, causing a standard message about an error in the application.
When the virus code gains control under Win9x, it switches from application level to Windows kernel (Ring3 -> Ring0), hooks file access functions (IFS API) and infects PE EXE files that are opened, renamed or file attributes are read or set.
While infecting a file, the virus encrypts and writes its code to the end of the last file section. The virus also writes two blocks of code and data to the end of the "code" and "data" sections. To the end of the "code" section, the virus-entry routine is written, and the end of the "data" section contains data that are used in the virus polymorphic decryption loop. This separating of the main virus code (encrypted), the entry routine and decryptor's data are done to make the virus-detection and -disinfection routines mode difficult.
The virus' polymorphic engine uses one more trick. To a build polymorphic decryption routine, it builds an Assembler-like source code, and then "compiles" it to binary executable code. It seems that the virus' author used such a method for easily improving its polymorphic engine in the future.
The virus does not manifest itself in any way. It contains the following text strings:
You can not find what you can not see.
Invirsible by Bhunji (Shadow VX) |
