Category :


Type :


Aliases :



Not yet analyzed.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus code is encrypted with polymorphic routines in both DOS droppers and Windows PE files. In case of Windows files the virus also uses "Entry Point Obscuring" ({EPO:File_viruses}) technology: the virus code does not get control immediately when an infected file is executed. The JMP_Virus instruction in most of cases is places somewhere in infected file body, not in file header and not at file startup address, and is executed only when corresponding program's branch takes control.

The virus is "slow infector": before infecting it checks many conditions and as a result affects very few files on the computer - only just about ten EXE files in standard Windows95/98 installation. The same for HLP files and archives - very few of them may be infected. The virus also delays its infection routine for one minute before first infection, and infects HLP files and archives only in case there was no access to these files during two minutes.

The virus is very dangerous. When disk files are accessed, it checks their names and in case of several anti-virus program (ADINF, AVPI, AVP, VBA, DRWEB) the virus deletes all files in all directories on all disks from C: till Z: that the virus is able to delete, and then halts the system by the Fatal_Error_Handler VMM call.

There is one more victim file that is deleted by virus each time it installs itself into the system. It is COMMAND.PIF file in the Windows directory.

The virus has bugs which are lethal under some Windows95/98 configurations - on infecting the virus causes "blue screen" with standard "General protection fault" message.

While installing into the system the virus depending on its random counter (in one case from 48) displays the message:

Going Memory Resident

The virus "resident" copy does work on VxD (Ring0 - Windows kernel) level. DOS programs and Windows applications cannot access this area by standard methods, so the virus uses several tricks to install its code to there.

When DOS dropper is executed, the virus checks is Windows installed and returns to DOS, if it is not. Otherwise the virus by using DMPI calls gets access to Local Description Tables (processor's protect mode memory allocation tables), patches them and switches its DOS 16-bit code to protect mode 32-bit. The virus code then works as a part of Windows kernel and can access all necessary Windows functions.

When infected PE file is run, the virus also patches system memory allocation tables and switches its code from application level (Ring3) to kernel level (Ring0). The virus then passes control to the same installation routine as infected DOS droppers do.

The installation routine, when takes control, allocates a block of system memory, copies the virus to there, hooks Windows functions and releases control. The original virus copy then either returns to DOS (in case of DOS dropper), or restores host PE file data and code and returns.

Hooking Functions

The virus hooks three Windows functions. The first one is callback procedure for I/O port trapping. The virus hooks port 534Bh and uses it in its "Are you here?" calls. Reading from this port under infected system conditions returns 21h ("!" character) in the AL register. Both DOS and Windows virus installation routines try it before installing memory resident. The number of this port was used to name the virus - 534Bh is "SK" in ASCII.

The second hook is "standard" for resident Windows infectors - it is File System API hook. It intercepts file opening, renaming and file attribute get/set functions. On these calls the virus runs its infection routines.

The third hook intercepts the "Install FileSystemApiHook" function itself (the one that is used to install previous hook). This call is used by virus to hide its hooker: when a new hook is installed, Windows calls this function. At this moment the virus intercepts that, removes its own IFS API hook, installs new one (that is requested), and then re-installs its virus' hook. As a result the virus hooker is always on the top in the list of hooks, and it is the first one to receive control when disk files are accessed.

There is another trick in virus IFS API hooker: to access file system drivers (the destination of FileSystem calls) the virus uses address of "native" system handler. The virus gets this address from purely documented field in the caller's stack, and by using this address performs direct calls to necessary file functions.

Infecting Files

When the IFS API hooker gets control and the infection routine is activated for the first time, it infects the Windows shell application (usually - EXPLORER.EXE). To locate it the virus opens the SYSTEM.INI file in the Windows directory, scans it for the "shell=" instruction and infects it.

This file is always run, so the virus cannot modify it. To fix this problem the virus uses "upgrading" trick. The virus copies this file with another name (adds one to the last letter in file name: EXPLORER.EXE -> EXPLORER.EXF, for instance), infects new file and forces Windows to "upgrade" original file with infected one. To do that the virus uses standard way: it creates the WININIT.INI file in the Windows directory and write necessary "Rename" instructions to there.

If Windows shell is already infected, the virus infects the file that is accessed. First of all it checks file name extension. In case of .EXE, .SCR and .DLL files the virus jumps to PE file infecting routine; in case of .HLP file the virus patches it with its dropping code; in case of .RAR, .ZIP, .ARJ and .HA archives the virus inserts into their contents its own executable dropper.

Continued in "SK-TECH2"