The virus can be found in three different forms:
- infected Win32 PE files
- infected DOS COM files
- Win32 PE dropper (31672 bytes pure virus code)
Because of bugs the infected COM and EXE files cannot run under
Windows NT, they are terminated with standard NT or DrWatson error
While infecting both Win32 and DOS files the virus writes its complete
32Kb code to the end of files and modifies file headers to pass
control to the virus routine. The addresses of entry routines are
different in all three cases of infection. The virus in both infected
Win32 and DOS programs when takes control searches for Win32 dropper
(the C:\MYLENE.EXE file), executes it and returns control to the host
program. If there are no dropper in root directory on the C: drive,
the virus first creates and then executes it.
These dropper activation routines are quite short in infected files.
In case of DOS COM files it is just about 200-bytes simply
create-write-close-run routine. In case of Win32 files it is more
sophisticated, but also quite silly and short.
So the virus in infected files just creates and runs dropper - no
more, and all infection and payload virus functions falls on the Win32
virus dropper. The virus also disables the AVPI anti-virus program.
Before calling infection routines the virus calls the trigger routine.
This routine is executed with probability 1/8 depending on the system
time counter and changes the Windows background picture (WallPaper) to
a picture of a French female singer Mylene Farmer.
[Analysis: Eugene Kaspersky]