Classification

Category :

Malware

Type :

Virus

Aliases :

Spaces, Busm

Summary

Spaces a dangerous memory resident parasitic Windows virus. It replicates under Win95/98 only and infects Win32 executable files (PE EXE - Portable Executable). When an infected file is run, the virus installs itself into Windows memory, hooks disk file opening and infects them. While infecting the virus writes itself to the end of the file into the last file section by increasing its size.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

On the June 1st the virus corrupts the MBR of the hard drive and halts the computer. The virus erases the MBR loader's code and patches the Disk Partition Table so that there is just one partition listed, and it points to the MBR sector, i.e. points to itself - the partition table loops to itself. This way of corruption is very dangerous: most of present DOSes (including MS-DOS) halts while loading - they go to unlimited loop while looking for the last disk partition. As a result the data on the disk are no t destroyed, but disk is not accessible ever while loading from floppy drive.While corrupting the MBR sector the virus overwrites it by direct writing to the hard drive controller's ports and bypasses BIOS anti-virus protection. This routine has a bug and in some cases (depending on the system configuration) the virus causes the "General Protection Fault" error message, and this saves the MBR.The virus was named "Spaces" because is uses two spaces to detect its copy in the Windows memory (these spaces are returned by a "are-you-here?" virus function). By two spaces the virus also separates infected and not infected files - the virus writes them to the PE header to the reserved field.The virus can be manually detected by the text string that presents at the end in infected files:

ERL

Technical Notes The virus installation procedure and some other routines are very closed to the "Win95.CIH". It seems this virus author used the "Win95.CIH" code as a base knowledge. The virus installs itself to the Windows kernel as a VxD driver: it jumps from the application Ring3 level to the system kernel Ring0 by patching the protected mode Interrupt Description Table, then allocates a block of system (VxD) memory, copies its code to there, intercepts the IFS API Windows calls, returns back to the Ring3 level and jump s to the host program's code. These routines are very closed to "Win95.CIH" virus. Other routines are not.To detect its copy in the Windows memory the virus also hooks the IFSMgr_Get_Version Windows VxD function. The virus detects its copy by this call with AX=2020h (two spaces), the "resident" virus copy returns DEADh in AX register.