Spaces a dangerous memory resident parasitic Windows virus. It replicates under Win95/98 only and infects Win32 executable files (PE EXE - Portable Executable). When an infected file is run, the virus installs itself into Windows memory, hooks disk file opening and infects them. While infecting the virus writes itself to the end of the file into the last file section by increasing its size.
Disinfection & Removal
On the June 1st the virus corrupts the MBR of the hard drive and halts the computer. The virus erases the MBR loader's code and patches the Disk Partition Table so that there is just one partition listed, and it points to the MBR sector, i.e. points to itself - the partition table loops to itself. This way of corruption is very dangerous: most of present DOSes (including MS-DOS) halts while loading - they go to unlimited loop while looking for the last disk partition. As a result the data on the disk are no t destroyed, but disk is not accessible ever while loading from floppy drive.While corrupting the MBR sector the virus overwrites it by direct writing to the hard drive controller's ports and bypasses BIOS anti-virus protection. This routine has a bug and in some cases (depending on the system configuration) the virus causes the "General Protection Fault" error message, and this saves the MBR.The virus was named "Spaces" because is uses two spaces to detect its copy in the Windows memory (these spaces are returned by a "are-you-here?" virus function). By two spaces the virus also separates infected and not infected files - the virus writes them to the PE header to the reserved field.The virus can be manually detected by the text string that presents at the end in infected files:
Technical Notes The virus installation procedure and some other routines are very closed to the "Win95.CIH". It seems this virus author used the "Win95.CIH" code as a base knowledge. The virus installs itself to the Windows kernel as a VxD driver: it jumps from the application Ring3 level to the system kernel Ring0 by patching the protected mode Interrupt Description Table, then allocates a block of system (VxD) memory, copies its code to there, intercepts the IFS API Windows calls, returns back to the Ring3 level and jump s to the host program's code. These routines are very closed to "Win95.CIH" virus. Other routines are not.To detect its copy in the Windows memory the virus also hooks the IFSMgr_Get_Version Windows VxD function. The virus detects its copy by this call with AX=2020h (two spaces), the "resident" virus copy returns DEADh in AX register.
Technical Details: Kaspersky Labs; January 2002