Details
Opera.1013

This is a relatively harmless memory resident parasitic virus. The virus affects executable files of two different platforms: DOS COM files as well as Windows VxD drivers.
The virus installs itself into the DOS memory, allocates a block of memory, hooks INT 21h nnd 2Fh, and stays memory resident. The INT 2Fh hook is used by the virus only to detect its already installed TSR copy so as to prevent duplicate installing. The INT 21h hook is used to intercept file access functions such as file executing, opening, renaming, and file attributes read/write. When such a function is intercepted, the virus checks the file name extension and infects files that have a .COM or .VXD extension.
While infecting a DOS COM file, the virus moves a block of file code from the top to the file bottom, and writes its code to the file top. The host file code that is stored at the file bottom is written there in encrypted form.
A similar way is used while affecting VxD drivers, but the virus writes itself to the file middle at the address of a 16 bits VxD entry routine. The virus looks for the 16 bits entry in the VxD and infects only those that have such an entry. The virus then moves that routine to the file bottom and overwrites that address with its code.
On July 25th, and being run from an infected COM file, the virus decrypts and displays the following message:
Opera IX, Horned Beast/VADER

Related Posts

This entry was posted on Friday, November 9th, 2007 at 6:50 pm and is filed under Virus Threats.