| Description:
|
Details
Win32.Giri.4919
This is a dangerous per-process memory resident Windows virus. It affects Windows executable files only (PE EXE). While infecting the virus increases size of last file section, writes its code to there and modifies "program entry point" address and other necessary fields in the PE header.
When an infected file is executed, the virus searches for EXE files in current and Windows directories, and infects them. The virus then hooks six Windows file access functions (file searching and opening), stays in Windows memory as a part of host file's code, and infects files that are accessed. The virus is able to hook the Windows functions only in case the host program uses them (imports them from Windows kernel). The "life-time" of resident virus copy depends on the host program run: when it is terminated, the resident virus code is terminated too.
Depending on its random counter the virus may disable one of its direct infection or installation routines, but in any case the virus will either search and infect files, or install its TSR copy, or both.
When an infected program is run, the virus checks system date and in three months the program was infected, it randomly runs one of its four effects.
Effect1: the virus creates the C:GIRIGAT.BMP file, writes a BMP image to there, and registers this file as Windows wallpaper.
Effect2: the virus randomly changes mouse cursor position. This procedure does not exit, and the application halts.
Effect3: the virus displays the "System Info" window where copyright texts are modified in following form (in case of Windows95 is installed):
Microsoft + Girigat.4937
Windows 95
Copyright (c) 1981-1995 Microsoft Corp.
(C) 1998-1999 Mister Sandman
Effect4: as well as in Effect2 the virus goes to dead loop in which it opens and closes the CD drive, that may cause hardware damage, if the virus will do that for long time (overnight). |
