| Description:
|
Details
Win95.Vlades.29696
This is the Win95 parasitic virus infecting PE EXE files combined with password stealing trojan horse ("PSW trojan"). The virus is written in Delphi programming language and has a component written in Assembler, the virus length is about 30Kb. The virus neither manifest itself in any visual way nor damages data on drives, but infection routine has bugs that cause corruption for some EXE files. The virus was named after the encoded text string "VladBEST" found in its code.
When an infected file is executed, the virus extracts its "pure code" as a standalone PE EXE file that is then stored in Windows SYSTEM directory with KERNEL.DLL name, and then executed. There is no such name in standard Windows installation, it has KERNEL32.DLL instead - the virus disguises its presence by using such tricky name.
Being run from KERNEL.DLL the virus stays in Windows memory as a hidden application, searches for PE EXE files in Windows directory, then in all directories on all available drives from C: till Z:, and infects PE files there.
While infecting the virus writes its code as two blocks. The first block is a very short piece of Assembler code that is written to the end of first file section, if there is a gap of enough size. This code receives control when infected file is executed, installs and runs the "pure" virus code (see above). The seconds block is the 30Kb virus code itself. It is written to the last file section, and the virus increases the size of this section while infecting a file.
The password stealing ability is activated only in case the Russian localization package is installed. The virus then collects confidential information from the system and sends message to the wladic@chat.ru Interned address. |
