| Description:
|
Details
Win32.Resur.a
This is a relatively harmless per-process memory resident parasitic virus. When an infected file is executed, the virus takes control, runs its infection thread (process) and returns control to the host file. The virus thread then is active in the background of the parent (host) process, scans subdirectory trees on all available drives and infects PE EXE files in there.
The virus uses a complex method of infection way: it processes a victim file structure and incorporates its code to the file. The virus body itself is a standard PE EXE file with four sections: code, data, resources and fixup (relocation) table. Depending on the victim file structure, the virus either adds all its sections to the victim file body as separate sections, or appends some of its section to the existing ones. The virus then makes necessary changes in the victim file headers - modifies program start-up address, section numbers, section addresses and sizes.
Resur.a,c
The virus contains text strings that in some cases are displayed by the virus:
I already told you this butall
Warning! Don't close this window
Win32/Resurrection by Tcp/29A
Hey you, stupid
29A
Resur.b
Tist is a remake of original virus. Instead of displaying the message (see above), it forces the installed Internet browser to open the Web site "http://sennaspy.tsx.org". The virus also contains the following text string:
Senna Spy Fenasoft 2000 Virus
Resur.d
This virus is encrypted. To decrypt its code when an infected file is run, the virus uses a very unusual way. While infecting files, the virus modifies the program Image Base and generates special data in the Relocation Section (Fixup section). As a result, when the program is being relocated to real addresses in Windows memory, the relocation procedure decrypts the encrypted virus code.
This virus contains the text:
Win95/SVK by Tcp/29A |
