| Description:
|
Details
Win95.Matrix.3597
This is a relatively harmless memory resident polymorphic parasitic Win9x virus. It stays in the Windows memory as a device driver (VxD) by switching from application mode to Windows kernel (Ring3->Ring0), hooks disk-file access functions, and infects PE executable files with EXE and SCR file-name extensions, and infects DOS COM files.
While infecting a PE EXE file, the virus encrypts itself and writes to the file end. The virus also patches the program's start-up code with a short routine that passes control to the main virus code.
While infecting DOS COM files, the virus writes, to the end of a file, a short routine that has no infection abilities, but just displays a message on July 7th:
Wake up, Neoall
The Matrix has you...
w9x.mATRiX
The virus also infects the C:WINDOWSWIN.COM file in the same way.
On April 6th, the virus modifies the system registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NoClose = 1
As the result of this key a user cannot switch off the computer.
The virus also deletes anti-virus data files: AVP.CRC, ANTI-VIR.DAT, IVB.NTZ, CHKLIST.MS.
The virus contains the following text strings:
where 'xxxxxxx' is the virus' "generation" number. |
