| Description:
|
Details
Win95.Regix.4096.a
It is not a dangerous nonmemory resident parasitic Windows virus. It replicates under Win9x and infects PE EXE files. Because of bugs in its infection routine the virus does not work under WinNT.
This virus version is "debug" one, and while infecting and installing it displays debug MessageBox-es:
Infecting: file name to be infected;
Infecting: name of file section to write the virus code to;
Installing: "Write File Sucess GoodBye" message after successful
installing the virus dropper to the system.
When an infected file is run, the virus extracts its own pure code, copies it to Windows directory with the REGIKX.EXE name and registers this copy (virus dropper) in system registry:
HKCRexefileshelltestcommand = "ReGIkX.exe" %1 %*
As a result the virus dropper gets control when any EXE file is accessed with the "test" command and receives file name as argument. The virus opens this file, checks its internal structure and infects. While infecting a file the virus increases the size of last file section, writes itself to there and modifies necessary PE header fields.
The "test" command that is affected by the virus in the system registry is not used by common software, and seems to be also "debugging" one.
If the virus dropper is executed with no EXE file name in command line, it displays the MessageBox:
Stoddart, And It Never Comes Again
There are gains for all our losses,
There are balms for all our pain,
But when youth, the dream, departs
It takes something from our hearts,
and it never comes again
Murkry/IkX
Making life fun through 'tronic life
RegIkx.ExE |
