Details
Win32.Damm.1537

This is a benign memory resident parasitic Windows virus. The virus uses Win98 specific calls and is able to spread only under Win98. To remain in the memory resident, the virus switches itself to kernel mode by using Win98 kernel functions, hooks the file access functions (IFS) and infects PE EXE files that are opened, renamed or when file attributes are accessed. While infecting a file, the virus writes itself to the end of the file.
The virus uses anti-debugging tricks and seems to disable Windows debuggers. The virus also looks for several anti-virus monitors installed, and disables them by patching their code. The virus also checks file names before infecting and does not affect anti-virus programs and some utilities. The virus detects them by comparing a file name with a set of strings:
AVP _AVP NAV TB F- WEB PAV GUARDDOG DRW SPIDER
DSAV NOD MTX MATRIX WINICE FDISK SCAN DEFRAG
On 1st of each month, the virus removes the Desktop icons with the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop = 1
The virus also contains the “copyright” text strings:
DAMMiT by ULTRAS [MATRiX]
(c) 2000

Related Posts

This entry was posted on Wednesday, July 2nd, 2008 at 3:50 pm and is filed under Virus Threats.