| Description:
|
Details
Win95.Yobe
This is a dangerous memory resident parasitic Windows virus. It uses system calls that are valid under Win95/98 only, and can't spread under NT. The virus also has bugs and often halts the system when run. Despite this, the virus has very unusual way of spreading, and it is interesting enough from a technical point of view.
The virus can be found only in two files: "SETUP.EXE" on floppy disks and "SETUP .EXE" in the root of the C: drive (there is one space between the file name and ".EXE" extension).
On floppy disks, the virus uses a trick to hide its copy. It writes its complete code to the last disk sectors and modifies the SETUP.EXE file to read and execute this code.
The infected SETUP.EXE file looks just as a 512-byte DOS EXE program, but it is not. While infecting this file, the virus uses a DirII virus method: by direct disk sectors read/write calls, the virus gets access to disk directory sectors, modifies the "first file cluster" field and makes necessary changes in disk FAT tables. As a result, the original SETUP.EXE code is not modified, but the directory enters points to the virus code instead of the original file clusters.
When the infected SETUP.EXE is run from the infected floppy disk, this DOS component of the virus takes control, reads the complete virus body from the last sectors on the floppy disk, then creates the "C:SETUP .EXE" file, writes these data (complete virus code) to there and executes. The virus installation routine takes control then, installs the virus into the system and disinfects the SETUP.EXE file on the floppy drive.
While installing itself into the system, the virus creates a new key in the system registry to activate itself upon each Windows restart:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
YOBE=""C:SETUP .EXE" YOBE"
The virus then switches to the Windows kernel level (Ring0), allocates a block of system memory, copies itself to there and hooks disk-file access Windows functions (IFS API). This hook intercepts file opening calls, and upon opening the SETUP.EXE file on the A: drive, the virus infects it.
The virus has additional routines. First, one of them looks for "AVP Monitor" and "Amon Antivirus Monitor" windows and closes them; the second one, depending on the random counter, displays a line with the words "YOBE" to the left side of the screen. |
