| Description:
|
Details
Win95.Zerg.3849
It is a dangerous memory resident parasitic stealth Windows95 virus. It stays in the Windows memory, hooks file access functions and writes itself to the end of PE EXE files that are accessed. This is the first known stealth virus infecting Windows95/98. When the virus is active in the system, it is not possible to access its code by Windows and DOS applications. The virus intercepts these calls, and returns original bodies of infected files. The stealth engine in the virus has bugs and in some cases halts the system.
The virus contains the text:
-=#[Zerg v0.1 Beta]#=- The World First Full Stealth virus for Win95/98,
Written by Dark Slayer in Keelung, Taiwan (ROC). This is a Demo and Lame
virus. It's Show that How to Make a Full Stealth virus on IFSMgr, and
Directly Call into FSD without the Fucking IFSMgr_Ring0_FileIO. It's not
Finished yet at All, Keeping watch My Next virus, Next Generationall It'll
be A Partition/BOOT/COM/EXE/NEXE/PEXE/Polymorphic/Full
Stealth/Multi-Platform Infector. Greeting to all Virus Writer, Bye! ^_^
When an infected file is executed the virus takes control and installs itself into Windows kernel. To do that the virus by using programming tricks switches its code from application to system level (from Ring3 to Ring0), allocates a block of system memory, copies itself to there, hooks IFS API calls, and then monitors file accessing.
The virus intercepts nine file access functions, they are: file opening, closing, searching functions as well as file seek, writing and reading file data. On file closing the virus activates its infection routine. On writing to files the virus disinfects them. On other calls the virus modifies system data so that Windows functions return not infected data. |
