Details
Win32.Apparition

This is “memory resident” Windows32 (Windows95/NT) parasitic infector. It looks as the “Win.Apparition” Windows virus that was rewritten for Windows32 - it is of the same structure (code, compressed data and so on), it uses similar algorithm of installation, infection and mutation and so on. The differences are: this virus is written in C (Windows virus was written in Pascal), it has no visible window, it has other text strings and displays other MessageBoxes.
In similar way as Windows version, this virus corrupts files while infecting them - it looks for C/Pascal subroutines header and overwrites them with FFh,FFh,xxh bytes (xxh - random byte). When this code receives control, the system generates exception. The virus intercepts it and fixes the problem. As a result, A) infected files do work under infected system, but do not after disinfection; B) this is impossible to guarantee 100% disinfection ever after fixing these patched blocks. As a result, the infected files have to be erased.

Related Posts

This entry was posted on Saturday, June 28th, 2008 at 7:50 pm and is filed under Virus Threats.