Oporto is a Windows virus. It stays in memory only until the host
process (infected program process) terminates. The virus infects
PE (Portable Executable) files, the infection is of appending
type. Upon infection the virus increases the size of the last
file section, writes its code there and modifies necessary fields
in PE header (affected section characteristics). To get control
when an infected file is run, the virus replaces first bytes of
program's startup code with a short routine that passes control
to virus body. With this trick the virus doesn't have to modify
program's entry point address. Before the virus passes control to
the host program the replaced area is restored.
When an infected file is run, the virus searches for PE EXE files
in current directory, then in Windows or Windows system
directories, and infects these files. Then the virus hooks up to
15 Windows file access functions (file searching, opening, etc.)
and stays in Windows memory as a part of host program. When
hooked functions are accessed the virus searches for more PE EXE
files on the disk and infects them.
The virus is able to hook Windows functions only in case the host
program uses them (the program has imports of these functions
from Windows kernel). The 'life-time' of the resident virus copy
fully depends on the life-time of the host program: when it is
terminated, the resident virus code is terminated too.
The virus has a payload: it deletes anti-virus data file
ANTI-VIR.DAT if found. On 24th of September the virus displays a
MessageBox and halts the system:
![](/images/pixel.gif"){kind=tracking}
