| Description:
|
Details
WinHLP.Demo
This is the first known "native" Windows32 HLP files infector, it does function and replicate as a Windows Help script embedded in help file structure (the first known virus affecting Windows HLP files was the "Win95.SK" infector).
When infected HLP file is opened, the Windows Help system processes virus script and executes all functions placed there. By using a trick the virus forces Help system to execute a specially prepared data as binary Windows32 program, these data are included in one of instructions in the virus script. These data themselves are the "start-up" polymorphic routine that builds the main infection routine and executes it. The infection routine is a valid Windows32 procedure, and it is executed as a Windows32 application.
When infection routine takes control, it scans Windows kernel (KERNEL32.DLL image loaded in Windows memory) in usual for Win32 executable files parasitic infectors, and gets addresses of necessary Windows functions from there. The infection routine then looks for all Windows Help files in the current directory, and infects them all.
While infecting the virus modifies internal HLP file structure, adds its script to the "SYSTEM" area, converts its code to polymorphic start-up routine and includes it into the script.
Before run its infection routine, and when infection is finished, the virus displays the MessageBoxes:
HLP.Demo
Trying to infect
HLP.Demo
Script comes to end! |
