Details
Win32.Enumiacs.6656

It is not a dangerous memory resident parasitic Windows virus. It replicates under Win32: stays in the system memory and infects PE EXE files that are run. The virus has anti-anti-virus ability: it searches for AVP Monitor window and terminates it. The virus does not manifest itself in any other way. It contains the text strings:
[Enumiacs] by Virogen [NOP]
Enumiacs by Virogen[NOP]
** THIS IS A BETA VERSION NOT INTENDED FOR PUBLIC RELEASE {0.5} **

When an infected file is executed, the virus gets control, scans the KERNEL32.DLL Export table and gets addresses of necessary Windows functions, and then installs itself in the Windows memory. To do that the virus creates and executes its dropper file ENUMIAC.EXE in the Windows system directory and writes its “pure” code to there. This “pure” virus dropper is an PE EXE program that has no other parts except virus code and data.
When the virus dropper is executed, it stays in the Windows memory as a hidden application (service) and performs a loop of infection: the virus searches for programs that are active in the system (enumerates them), stores their names (up to 125 names), waits for some time and then infects them.
While infecting the virus writes its code to the end of the file (appends to the end of last file sections) and modifies necessary PE header fields including EntryPoint address, size of image and ever recalculates file checksum.

Related Posts

This entry was posted on Saturday, July 5th, 2008 at 3:50 am and is filed under Virus Threats.