Details
Win32.Eva

This is a direct action (non-memory resident) parasitic Win32 infector. It searches for PE EXE files in the Windows, Windows system and current directories, then writes itself to the end of the file.
While infecting, the virus does not modify the PE header at all. The infection process is based only on a DOS Stub header: the virus writes new file PE header offset there (virus PE header). As a result, the infected file has three parts: the first part is the original DOS stub; the second part is host PE data (not modified); and the third part is virus code and data.
The virus has PE file structure: it contains a PE header, section headers, import table, code and data sections. The modified DOS stub in infected files points to the virus’ PE header instead of the original ones. As a result, Windows32, while executing infected files, reads and runs the virus’ code instead of the host one’s.
To return to a host program, the virus creates a copy of the infected file, disinfects it (just restores the file PE header offset) and spawns.
On February 2nd, the virus displays the following message window:
Win32.Eva by Benny, (c) 1999
Hello stupid user, i’m so sorry, but i have to interrupt your work,
’cause I hate this shitty program. Click OK to continue.

Greets to:
Super/29A
Darkman/29A
Jacky Qwerty/29A
Billy Belcebu/DDT
and many other 29Aersall

Related Posts

This entry was posted on Saturday, July 5th, 2008 at 11:50 am and is filed under Virus Threats.