| Description:
|
Details
Win95.Voodoo.1537
It is a harmless memory resident encrypted parasitic Win32-virus. It stays in the Windows memory and depending on the system events searches for files in the "C:Program Files" and other directories and infects them. While infecting the virus increases the size of last file section, encrypts and writes itself to there and modifies the program's entry address in the file header. Because of a bug in its infection routine the virus is not able to replicate under WinNT, but under Win95 only. The virus does not manifest itself in any way, it contains the author's "copyright" text:
Star0 - Magic Voodoo
When an infected file is executed, the virus decrypts itself, scans the KERNEL32.DLL code and gets the addresses of necessary Windows API functions (GetSystemTime, CreateThread, FindFirstFileA, FindNextFileA, and other). The virus then allocates a block of system memory, copies itself to there and hooks ExitProcess function. To hook it the virus also scans KERNEL32.DLL code and patches it with virus hooker address.
The virus also uses multitasking features: the virus ExitProcess handler gets control directly from Windows kernel, but the infection routine does work as a thread. When an infection routine takes control, it delays for 5 seconds and then searches for PE EXE files in the directory tree and infects them. |
