Details
Win95.Fono.15327

This is a dangerous memory resident multipartite virus. Also known as Inca. It affects many types of executable object, but the main target of the virus is Windows95 system - the virus main code stays memory resident under Windows95 as a VxD driver, hooks file opening procedure and writes to the end of accessed PE executable files. The virus also hooks INT 13h protected mode chain and affects boot sector of 1.4Mb floppy disks. The virus also writes infected COM droppers directly into the archives of several types (ZIP, LHA, ARJ and RAR); creates its VxD dropper on the disk; creates a trojan COM file; and ever drops a mIRC worm that seems to pass the virus code through IRC channels.
The virus has polymorphic ability: the virus code is encrypted by polymorphic loop in infected PE files, COM droppers and ever in boot sectors.
The virus has the text inside its code: “El Inca virus”, but was named “Fono” after the name of its dropper files (see below).
Infection
While installing memory resident the virus VxD code hooks IFS (Installable File System) API calls and INT 13h V86 chain, as a result the virus intercepts both file and disk access calls.
The virus IFS hook intercepts file opening calls, gets file name and depending on the file type runs one of its infection routines. The virus affects the EXE and SCR (screen savers) files as well as LHA, LZH, PAK, ZIP, ARJ, RAR archives. The virus also pays attention to the MIRC32.EXE file and runs its “worm” routine when this file is accessed.
When PE executable files are accessed, the virus checks their internal formats, writes its code to the end of the file and modifies the file PE header to get the control when infected files are executed. While infecting the virus creates new file section with random selected name and writes its code to that section.
If the MIRC32.EXE file is opened, the virus creates the REVENGE.COM file in the current directory and writes the trojan code to there. When run this trojan sets the BIOS password settings to random one. That does work on AWARD/AMI BIOSes, on other BIOS types it simply erases the CMOS. The trojan then halts the computer.
After dropping the trojan file the virus accesses the MIRC.INI file and writes to its end the instruction that disables the MIRC security setting:
[fileserver]
Warning=Off

The virus then creates the SCRIPT.OLD, SCRIPT.INI and INCA.EXE file. The INCA.EXE contains the virus dropper, the SCRIPT.INI file contains a code that sends this dropper to the IRC channel, the SCRIPT.OLD file stays empty.
When archives are accessed, the virus parses their formats and adds the droppers to them. These droppers have COM file format, four random letter in name and randomly selected COM or EXE extension.
The infected PE files and COM droppers both are encrypted by polymorphic engine. They have similar structure: installation routine and main virus VxD code. The installation routine when receives control just searches for Windows directory and drops the main virus code in VxD form to there. The installation routine then registers this VxD dropper in the SYSTEM.INI file. That is necessary to note that the main virus VxD code in infected files is packed by silly compression method.
By hooking INT 13h the virus infects boot sectors on the 1.4Mb floppy disks. While infecting the virus writes to the disk its code divided into three blocks: boot code, dropper and main virus code. The virus boot code is polymorphic one, it is written to the boot sector of the disk. This code just reads the dropper code and passes control to it. The dropper reads the main virus code, converts (unpacks) it to VxD and drops it to the Windows system directory.
Installation
When Windows is loading with infected VxD registered in the system, the virus takes control, disables logging to the BOOTLOG.TXT file, locates and deletes the WINDOWS\SYSTEM\IOSUBSYS\HSFLOP.PDR file, locates its own file on the disk, reads and compresses it for further use while infecting PE files and creating COM droppers.
The virus then allocates necessary amount of memory that uses as a storage for data to infect files and runs its polymorphic routines. The virus runs its polymorphic engine three times: to generate decryption loops that will be written to boot sectors, COM droppers and PE files. The virus stores these codes up to rebooting. As a result all objects of the same type (boot sectors, COM and PE files) will be infected by the same polymorphic loops during the seance - the virus is “slow polymorphic” one, i.e. it does not changes its polymorphic code each time it infects a file or sector.
The virus installation routine has a bug. As a result of this bug the virus installs itself into the memory not in all of cases.
COM Dropper Run
The virus COM droppers contain pure virus code encrypted with polymorphic engine. When such files are executed, the virus decrypts itself, locates Windows directory by “windir=” pointer in the system environment area, creates in the SYSTEM subdirectory the VxD dropper with the \SYSTEM\FONO98.VXD name. The virus then registerst it in the SYSTEM.INI file in the [386Enh] section: writes the “device=fono98.vxd” instruction to there.
The main (VxD) virus code in compressed in the COM dropper, so the virus unpacks it before writing to the disk.
Infected PE Files Run
The virus code in the infected PE files has the same target as in COM droppers: to create and register the virus VxD file in the system. This code when takes the control decrypts the rest of the virus, scans Kernel32 export table for necessary functions (GetProcAddress, GetModuleHandleA, CreateFileA, WriteFile, CloseHandle, WinExec, DeleteFileA, Sleep), creates the C:\W95INCA.COM file, runs and deletes it. This COM file is exactly the virus COM dropper described above.
Loading From Infected Boot Sector
This routine as well as COM and PE virus routines installs the virus VxD file into the Windows system directory and operates similar to COM dropper. The virus polymorphic entry routine placed in infected boot sector reads from disk sectors the main virus body and runs it. The main virus routine then hooks INT 1Ch, waits for DOS loading process, hooks INT 21h and on first execution of any program drops the infected VxD file with the same name FONO98.VXD and registers it in the SYSTEM.INI file.
The only difference here is the fact that boot instance of virus is able to infect Windows only in case it is placed on C: drive in the C:\WINDOWS directory. The COM instance of virus is able to infect Windows if it is installed in any directory on any drive.
The virus installation routine seems to have a bug here preventing to infect the system under most common environments.

Details
Win95.Evil

It is a dangerous nonmemory resident parasitic Windows95 virus. It searches for PE EXE files (Portable Executable), then writes itself to the end of the file. While infecting the virus increases the size of last file section, writes itself to there and modifies the PE header fields including program’s start address. To access file search/read/write functions the virus scans Windows95 kernel, gets undocumented DOS_Call function address and then calls it with DOS INT 21h functions numbers.
The virus has several lethal bugs and very often corrupts files while infecting them. It contains the ID-word:
EVIL

Details
Win95.Dupator.1503

This is a harmless memory resident parasitic Win32 virus. It infects Win32 PE EXE files and also infects KERNEL32.DLL Windows system files. The virus does not manifest itself in any way. Because of a bug, the virus does not work on WinNT machines.
While infecting a file, the virus creates a new PE section at the end of the file and writes its code to there. In the case of applications, the virus then modifies a program’s start-up address, and in the case of KERNEL32.DLL, the virus patches the export table (see below). The virus section in infected files has the “DUPATOR!” name, and this string may be used for manual detection of the infected files.
When an infected program is run, the virus takes control and infects the KERNEL32.DLL file. To do this the virus copies this file from the system Windows directory (where this file is located by default) to the Windows directory, for example:
WINDOWS\SYSTEM\Kernel32.Dll -> WINDOWS\Kernel32.Dll
WINNT\SYSTEM32\Kernel32.Dll -> WINNT\Kernel32.Dll

and infects this copy. While infecting, the virus patches the KERNEL32.DLL Export table so that the GetFileAttributesA function points to the virus code in the infected KERNEL32.DLL file. The virus then returns control to the host program and is not active anymore.
The virus infection routine is then activated only when an infected KERNEL32.DLL is loaded into the Windows memory (upon the next Windows start-up). The GetFileAttributesA function points to virus code, so the virus does not need to perform any additional actions to stay in the Windows memory - it stays memory resident as a part of KERNEL32.DLL and hooks the file-attributes reading routine. When this call is performed by any applications, the virus infects corresponding file in case it has PE EXE format.

Details
Win95.Dodo

It is not a dangerous memory resident parasitic virus. It replicates under Win9x systems only. Known virus version does not infect WinME systems because of a bug.
The virus stays in Windows memory as a component of KERNEL32.DLL system library, patches KERNEL32 addressed to install its hook on file opening calls, and then infects PE EXE and DLL files that are opened.
While infecting a file the virus writes itself to “caves” in file body, if there are such ones. The infection method looks similar to the “Win95.CIH” virus: the virus body is split to blocks that are stored at the end of PE sections, if there are “caves” of enough size.
Starting from 2001 on 1st day of each month the virus sets the system date to 1981.
The virus contains the text strings:
Dodo 1.2

Details
Win95.DarkSide

It is not a dangerous nonmemory resident parasitic Win95 virus. It searches for PE EXE files, then writes itself to the end of the file: increases the size of last section, writes its code to there and modifies the entry point address. To get access to Windows file access function the virus scans Win95 Kernel32 internal formats. To detect already infected files the virus saves the “LT” string to the checksum field in DOS stub header.
On March 9th the virus displays the MessageBox:
DarkSide
Nothing Going to
Save you From a Love
that’s Blind
Slip to the
DarkSide
and Cross that Line
March 9, 1986

The virus also contains the text that contains names of functions used by the virus:
CreateFileA _lclose ReadFile FindFirstFileA FindNextFileA WriteFile
SetFilePointer LoadLibraryA GetProcAddress USER32 MessageBoxA

Details
Win95.Darkmil.4639

This text was written by Adrian Marinescu, GeCAD software
This is a dangerous polymorphic memory resident Windows9x specific virus. It will not spread itself under any operating systems other than Windows95 and Windows98 due to the mechanisms used for replication. The memory installation part is a slight variation of the method used by the infamous Win95.CIH - Darkmil patches the IDT to point to it’s own code than executes an interrupt which will run the virus code under the Ring0 privilege level.
When executing an infected file, Darkmil will receive control, decrypt itself then check if there’s already another copy of it in memory. If not, it will install itself in the VxD drivers area, hook the IFS API calls then give the control back to the host program. Due to the hooked IFS, the virus code will receive control each time a file I/O operation is requested to the IFS Manager. The virus will filter OPEN/RENAME and FILEATTRIB functions. When such service is called, it will check if the extension of the file is .EXE or .SCR and infect them. Also, the virus checks for .BMP and .GIF files - if such files are opened the virus will call one of it’s payloads.
The infection mechanism is simple but efficient - Darkmil will enlarge the last section to hold the entire virus body and the decryptor code, write it’s code in there and then patch the file entrypoint to load the virus code first.
After 200 infected files the virus will display a Blue Message Box with the following text:
DarkMillennium Project

Copyright (C) 1999 by Clau/Ultimate Chaos
www.ultimatechaos.org
Greets to all VXers out there !

Using it’s own random number generator Darkmil will choose a number between 1 and 10000. If this number is less than 500 Darkmil will attempt to change the RTC date from CMOS memory to 1-1-1980.
When a .BMP or .GIF image file is opened and Darkmil is memory resident, it will attempt modify the file to reduce the RGB colors inside an image with 5 levels, resulting in a darker image. However this part is very buggy and often generates Windows error messages.
The following strings are included in the virus body, but not used in any way:
DarkMillennium Project
Copyright (C) 1999 by Clau/Ultimate Chaos

Details
Win95.Companion

It is not a dangerous nonmemory resident companion virus. It searches for PE-EXE files (Win95/NT executable files), renames them with COM extension, then copies virus code with EXE extension. As a result of infection there are two files - original file with COM extension and companion file with EXE extension and with the virus body inside.
The virus infects no more than two files in the current directory. Then it executes its host file and returns control. If there are no host file, the virus shows Windows MessageBox and immediately closes it.
To do its work the virus uses standard Win95 routines exported from KERNEL32.DLL and USER32.DLL:
CopyFileA, ExitProcess, FindNextFileA, GetCommandLineA, WinExec,
lstrcpyA, FindFirstFileA, MessageBoxA

The virus also contains the texts:
*.EXE .COM
DeleteFileA

The last string is the name of standard Win95 routine, but it is never called.
Text added: Dec-23-1996

Details
Win95.CIH-Killer.1373

It is not a dangerous memory resident parasitic Win95 virus. It infects Windows executable files (PE EXE - Portable Executable), and writes itself to the end of files while infecting them. If a file is already infected by “Win95.CIH” infector, the “CIH-Killer” virus disinfects them, and then infects by its own copy. If an infected file is executed from 0:00am till 0:59am, the virus depending on the system time displays the message:
CIH Killer1.1
I’ll kill CIH,but I’ll live here,too!
Produce By SSJ. CCU. Taiwan 1999.

The virus code looks similar to “Win95.CIH” and uses same tricks to install virus code to the Windows memory. By patching system tables the virus switches itself from application mode to kernel driver (Ring3 -> Ring0), allocates a block of system memory, hooks IFS API and stays as a VxD driver. On opening PE EXE files the virus infects them by writing its code to the end of last file section. The virus then modifies necessary PE header fields.

Details
Win95.CIH

This is a Windows95/98 specific parasitic virus infecting Windows PE files (Portable Executable), which is about 1Kbyte in length. Also known as Chernobyl. This virus was found “in-the-wild” in Taiwan in June 1998, being released by its virus author who was studying at a local university at the time. The virus (accidentally?) was posted at a local Internet conference that released the virus out of Taiwan. Within a week, the virus was found in Austria, Australia, Israel, United Kingdom, and was also reported from several other countries (Switzerland, Sweden, USA, Russia, Chile, etc.).
In about a month, the infected files were accidentally put on several Web sites in the USA (game software distribution sites) that caused a global virus epidemic. In about a year after the virus’ appearance on March 26th 1999, the “time-bomb” in virus code caused a computer catastrophe when about half of a million computers were damaged because of virus infection: all of them lost data on the hard drive, and many of them also had the motherboard BIOS destroyed (plus hard-drive data damaged). This incident was significant as there had been no such global and terrible computer incidents known to date at this time.
Because the virus “bomb” day falls on the day of the Chernobyl catastrophe that shocked the world on 26th April 1986, the virus, already known as “CIH” got its second name - “Chernobyl”.
Despite this, the virus author did not link his “bomb” with Chernobyl (maybe he had never even heard of Chernobyl). It seems the “bomb” day was selected for another reason. The first virus version (that fortunately hasn’t left Taiwan) was released on April 26 1998, so the virus celebrated its “birthday” on April 26 1999.
How the virus works
The virus installs itself into the Windows memory, hooks file access calls and infects EXE files that are opened. Depending on the system date (see below), the virus runs its trigger routine. The virus has bugs and in some cases, halts the computer when an infected application is run.
The virus’ trigger routine operates with Flash BIOS ports and tries to overwrite Flash memory with “garbage”. This is possible only if the motherboard and chipset allow for the writing to Flash memory. Usually writing to Flash memory can be disabled by a DIP switch, however, this depends on the motherboard design. Unfortunately, there are modern motherboards that cannot be protected by a DIP switch - also, some of them do not pay attention to the switch position and this protection has no effect at all. Some other motherboard designs provide written protection that can be disabled/overridden by software.
The trigger routine then overwrites data on all installed hard drives. The virus uses direct disk write calls to achieve this and bypasses standard BIOS virus protection while overwriting the MBR and boot sectors.
There are three “original” virus versions known, which are very closely related and only differ in a few parts of their code. They have different lengths, texts inside the virus code and trigger date:
Length Text Trigger date Found In-The-Wild
1003 CIH 1.2 TTIT on April 26th YES
1010 CIH 1.3 TTIT on April 26th NO
1019 CIH 1.4 TATUNG on 26th of any month YES - many reports

Technical details
While infecting a file, the virus looks for “caves” in the file body. These caves are a result of the PE file structure: all file sections are aligned by a value that is defined in the PE file header, and there are unused blocks of file data between the end of the previous section and the next one. The virus looks for these caves and writes its code into them. The virus then increases the size of sections by the necessary values. As a result, the file length is not increased while infecting.
If there is a cave of enough size, the virus saves its code in one section. Otherwise, it splits its code into several parts and saves them to the end of several sections. As a result, the virus code may be found as set of pieces, not as a single block in infected files.
The virus also looks for a cave in the PE header. If there is an unused block not less than 184 bytes in length, the virus writes its startup routine to there. The virus then patches the entry address in the PE header with a value that points to the startup routine placed in the header. This is the same trick that was used in the “Win95.Murkry” virus: address of program entry points not to some file section, but to the file header - out of a loadable file data. Despite this, infected programs are run with no problems - Windows does not pay any attention to such “strange” files, loads the file header into the memory, then file sections, and then passes control to the virus startup routine in the PE header.
When the virus startup routine takes control, it allocates a block of memory by using the PageAllocate VMM call, copies itself to there, locates other blocks of virus code and also copies them to the allocated block of memory. The virus then hooks the system IFS API and returns control to the host program.
The most interesting thing in this part of the virus code is that the virus uses quite complex tricks to jump from Ring3 to Ring0: when the virus jumps to newly allocated memory, its code is then executed as Ring0 routine, and the virus is able to hook the file system calls (it is not possible in Ring3, where all users applications are run).
The IFS API virus handler intercepts only one function - file opening. When PE .EXE files are opened, the virus infects them, provided there are caves of enough size. After infection, the virus checks the file date and calls the trigger routine (see above).
While running its trigger routine, the virus uses direct access to Flash BIOS ports and VxD direct disk access calls (IOS_SendCommand).
Other known virus versions
The original virus author released not only virus code in affected EXE files to the wild, but a virus source (assembler) code as well. These source code were patched, recompiled, and new virus versions were found because of this. Most of these versions are buggy and not able to replicate, but others can do. All of them are very closed to original viruses, but there are a few differences. The main difference is that the “bomb” date has changed, and new variants of the virus either erase data and Flash BIOS on other days, or this routine is never called.
There are also “original” versions of the virus patched so that they have other “bomb” days. The reason for this is actually humorous: the virus checks the trigger date by comparing the current day and month number with two constants (two bytes). By patching these constants, it is possible to select any day the virus will destroy computers.

Details
Win95.Chimera.1542

This is a dangerous Win9x parasitic stealth virus. The virus switches its process to Windows kernel mode (Ring3->Ring0), hooks file access functions (IFS API) and stays in the system memory as Win9x driver (VxD). The virus then infects Win32 applications (PE EXE files) that are accessed.
While infecting a file, the virus writes itself to the end of the file and modifies necessary PE header fields. The virus has a bug, and in some cases, infected applications cause a standard Windows message to appear about an error in an application. The virus infects not only files with the .EXE filename extension, but any PE EXE file. As a result, many DLL, DRV and other PE files are infected (especially in the Windows system directory), as a result, the infected system in many cases cannot restart and halts with an error message.
The virus contains the following text string:
Chimera
The infected files also have an “infected ID” text string in their DOS stub:
krad

Details
Win95.Caw.1262

This is a dangerous memory resident parasitic Win95/98 virus. When an infected program starts, the virus gets control, switches itself from application level (Ring3) to Windows kernel (Ring0), allocates a block of Windows memory, hooks file-access functions (IFS API) and stays “memory resident” as a system VxD driver. The virus then intercepts file opening function and writes itself to the end of PE EXE files that are opened. While infecting a file, the virus increases the last file section and writes itself to there.
The virus has a bug, and in some cases, corrupts files while infecting them. When such files are run, they cause a standard Windows message about an error in application.
The virus has two very dangerous payloads. 1. on July 7th upon each file opening, the virus erases 16 sectors at random positions on the C: drive.
2nd: if the current minutes are 0, the virus deletes the files that are being opened: WINWORD.EXE, and files with extensions: BMP, JPG, DOC, WRI, BAS, SAV, PDF, RTF, TXT. This “feature” can be “customized”: if there is a file “C:\AW”, the virus gets “sacrificial” file names and extensions from this file, and deletes them. The name of this file was the reason for naming the virus.

Details
Win95.Bumble.1736

It is a harmless nonmemory resident encrypted parasitic Windows virus. It searches for PE EXE files (Win32 executables), then writes itself to the end of the file to the last file section by increasing its size. The virus searches for PE files in the current and Windows directories.
The virus is Win95/98 specific. To access Windows functions is scans Windows kernel data addresses that are valid only under Win9x, not WinNT.
The virus contains the text strings:
[Becoming]
[Coded by Bumblebee]

Details
Win95.Boza.a

It is not a dangerous parasitic NewEXE (PE) virus. It searches for EXE files, checks the files for PE signature, then creates in EXE file new section named “.vlad”, and writes its code into that section. This is the first known virus infecting PE EXE files (Win95).
While infecting a file that virus uses calls to functions GetDir, SetDir, FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile. The virus does direct calls to KERNEL32 code without references to KERNEL32.DLL addresses, as it is described in Win32 SDK documentation. The virus checks the KERNEL32 code at the specific addresses, and then uses the direct calls to these addresses. If there is no such code in KERNEL32, the virus does not perform any action, and returns to the host program.
While searching for files, and infecting them the virus gets the current directory, searches for .EXE files, and checks them for PE signature. Then the virus increases NumberOfSections field in PE header, writes into the file new Section Header that describes new Section in the file, and writes itself to the end of the file.
While executing the virus infects up to 3 files. It looks for .EXE files in parent directories if there are no more .EXE files in the current one. Before return to the host program the virus restores the current directory.
The virus checks the system date, and on 31st displays the message box with the header:
Bizatch by Quantum / VLAD

and the message inside of the box:
The taste of fame just got tastier!
VLAD Australia does it again with the world’s first Win95 Virus
From the old school to the new..
Metabolis
Qark
Darkman
Automag
Antigen
RhinceWind
Quantum
Absolute Overlord
CoKe

The virus also contains the text strings:
.vlad
Please note: the name of this virus is [Bizatch] written by Quantum of VLAD

The virus is not bugs-free, and in some cases Windows95 displays an error message during execution of infected EXE files.

Details
Win95.Bonk family

These are dangerous memory resident parasitic Windows95/98 viruses. They install themselves into the Windows memory and write themselves to the PE EXE files that are opened. The viruses have a bug and replicate only under specific environment, otherwise they halt the system. The viruses contain the text string:
[BONK32] by Vecna/29A

They also write the “BONK” ID-text to the file PE header (to the CheckSum field). To prevent duplicate infection the viruses test the file header for this text before infecting it.
The viruses use several tricks while installing memory resident and while infecting files. The viruses allocate the memory and install themselves into the VxD area (Ring0) by using the method similar to the “Win95.CIH” . Being run in the Ring0 the viruses hook IFS API calls, intercept file opening, compare file extension with EXE and calls infection routine.
While infecting a file the viruses use two different ways to patch the program’s entry address: they either modify the entry address field in the PE header, or patch the original entry routine with JMP_Virus instruction. The second way is selected only in case there are no relocated address at program’s entry.
The viruses write their code to two parts in the file. The first part of virus code (entry routine - about 200 bytes) is saved to the file header, the main part of virus code is written to the end of the file. This second part is written as the “overlay”: the viruses do not modify the PE header to attach this code to the infected file’s code and force Windows to load this code when an infected file is executed. To access this second part the virus entry routine opens the host file, seeks to the file end and reads the main virus code from there.
To make file disinfection more complex, the viruses encrypt a part of host file (100h bytes at file entry) and do not store the encryption key. To restore the original host data before return control to the host program the viruses calculate the CRC of host block and store it. To decrypt host data the viruses try all possible keys, decrypt, calculates the CRC and checks it. If the CRC meets the original one, the viruses return to the host entry routine.

Details
Win95.Begemot

This is a dangerous memory resident parasitic polymorphic Windows virus about 8Kb in length. The virus installs itself into the Windows memory and infects PE EXE files that are accessed.
The virus uses system calls that are valid under Win95/98 only, and can’t spread under NT. The virus also has bugs, and often halts the system when run. The virus uses several unusual routines in its code: it keeps its code encrypted and compressed in infected files (while installing, it decompresses it); infects RAR archives (adds infected BEER.EXE file to archives); runs a thread that can communicate with an external module, which controls the virus (for example, enables/disables infection routine).
The virus also looks for “AVP Monitor” and “Amon Antivirus Monitor” windows, and closes them; deletes several anti-virus data files; and depending on the system timer, displays a message.
The virus also contains the “copyright” text:
Virus Win98.BeGemot by Benny/29A