1992 |
Posted by Mikko @ 15:40 GMT |
|
- The virus infects only Windows EXE files
- The strings `Virus_for_Windows v1.4' and 'MK92' are embedded in the code
- The virus infects only Windows applications. The infections are generated at the moment of executing an infected application.
- As a result of the infection mechanisms used by the virus an infected file does not start with first double click but only with the second. The virus does not constitute a major threat to Windows users. It is not a very efficient infector and does not try to harm data.
The infection procedure:
1. The virus is activated when an infected application is executed.
2. The virus searches for a file suitable for infection from the
default directory using MS-DOS
INT 21h, AX=4E, 4F services
3. If no targets can be found, the execution is finished with the
call
INT 21h, AX=4C00. The actual Windows application is not
executed.
4. If targets are found, they are opened one by one and the time
stamps saved in memory.
5. The MZ and NE headers are checked.
6. Several values are checked from the NE header.
7. The virus code is added in the middle of the application.
8. The replaced code is moved to the end of the application.
9. The CS:IP from the NE header is changed to point to the
beginning of the viral code.
10. The virus deletes its code from the original file and rebuilds
it to a functional state,
11. The execution is finished.
Other observations:
- After the virus code is executed, the original application is not executed. This will seem as a failed double click. As the virus rebuilds the original file if it manages to infect a new file, the next attempt to execute the original application is successful.
- The infected files grow with 854 bytes.
- The infection does not change the time stamp of the target application file.
- The virus is not encrypted or protected in any way.
- No activation routines could be found.
- The name of the infector application and the name of the infected file is saved in the virus code.
---------------------------
Wow. A Windows malware which is all of whopping 854 bytes in size. Times sure have changed.
Signing off,
Mikko