F-Secure Virus Descriptions : K32
Win95/K32.3030 is a resident Windows 95 virus infecting EXE files.
K32 activtes on February 19th. On this date it displays this text:
nIgr0_lives_here!!!!
Virus K32 por nIgr0 ... "Hazlo o no lo hagas pero no lo intentes"
The last sentence is Spanish and means "Do or not do but not try it".
When an infected file is executed, the virus scans the KERNEL32.DLL data,
gets addresses of necessary Windows functions (CreateFile, SetFilePointer,
ReadFile, WriteFile, CloseHandle, CreateProcessA, GetModuleHandleA,
GetProcAddress), copies itself into not used data in the Windows kernel and
hooks CreateProcess function. To hook this function the virus patches the
Windows kernel with Jmp_Virus instruction. While infecting a file the virus
increases the size of its last file section and writes itself to there.
[Analysis: Eugene Kaspersky]
|
