Summary

Win95/K32.3030 is a resident Windows 95 virus infecting EXE files.

K32 activtes on February 19th. On this date it displays this text:

nIgr0_lives_here!!!! Virus K32 por nIgr0 ... "Hazlo o no lo hagas pero no lo intentes"

The last sentence is Spanish and means "Do or not do but not try it".

Additional Details

When an infected file is executed, the virus scans the KERNEL32.DLL data, gets addresses of necessary Windows functions (CreateFile, SetFilePointer, ReadFile, WriteFile, CloseHandle, CreateProcessA, GetModuleHandleA, GetProcAddress), copies itself into not used data in the Windows kernel and hooks CreateProcess function. To hook this function the virus patches the Windows kernel with Jmp_Virus instruction. While infecting a file the virus increases the size of its last file section and writes itself to there.

[Analysis: Eugene Kaspersky]