Spaces a dangerous memory resident parasitic Windows virus. It
replicates under Win95/98 only and infects Win32 executable files
(PE EXE - Portable Executable). When an infected file is run, the
virus installs itself into Windows memory, hooks disk file
opening and infects them. While infecting the virus writes itself
to the end of the file into the last file section by increasing
its size.
On the June 1st the virus corrupts the MBR of the hard drive and
halts the computer. The virus erases the MBR loader's code and
patches the Disk Partition Table so that there is just one
partition listed, and it points to the MBR sector, i.e. points to
itself - the partition table loops to itself. This way of
corruption is very dangerous: most of present DOSes (including
MS-DOS) halts while loading - they go to unlimited loop while
looking for the last disk partition. As a result the data on the
disk are no t destroyed, but disk is not accessible ever while
loading from floppy drive.
While corrupting the MBR sector the virus overwrites it by direct
writing to the hard drive controller's ports and bypasses BIOS
anti-virus protection. This routine has a bug and in some cases
(depending on the system configuration) the virus causes the
"General Protection Fault" error message, and this saves the MBR.
The virus was named "Spaces" because is uses two spaces to detect
its copy in the Windows memory (these spaces are returned by a
"are-you-here?" virus function). By two spaces the virus also
separates infected and not infected files - the virus writes them
to the PE header to the reserved field.
The virus can be manually detected by the text string that
presents at the end in infected files:
ERL
Technical Notes
The virus installation procedure and some other routines are very
closed to the "Win95.CIH". It seems this virus author used the
"Win95.CIH" code as a base knowledge. The virus installs itself
to the Windows kernel as a VxD driver: it jumps from the
application Ring3 level to the system kernel Ring0 by patching
the protected mode Interrupt Description Table, then allocates a
block of system (VxD) memory, copies its code to there,
intercepts the IFS API Windows calls, returns back to the Ring3
level and jump s to the host program's code. These routines are
very closed to "Win95.CIH" virus. Other routines are not.
To detect its copy in the Windows memory the virus also hooks the
IFSMgr_Get_Version Windows VxD function. The virus detects its
copy by this call with AX=2020h (two spaces), the "resident"
virus copy returns DEADh in AX register.
