Win32.Lev
Details
Win32.Levi
It is not a dangerous nonmemory resident encrypted parasitic Windows32 virus. It searches for PE EXE files (Windows executable files) in the current directory, then writes itself to the end of the file. While infecting the virus writes itself to the end of last file section, increases its size and modifies program’s startup address.
Starting from the 30th generation the virus displays the message window, they are different in different virus versions:
“Levi.3040″:
Win32.Wildfire (c) 1998 Magnic
I am/I can - The Wildfire virus.
-d e c o d e-
idwhereamif73hrjddhffidosyeudifr
ghfeugenekasperskydjfkdjisfatued
938rudandmydickisgrowingehdjfggk
“Levi.3236″:
Hey stupid !
Win32.Leviathan (c) 1999 by Benny
This is gonna be your nightmareall
30th generation of Leviathan is here… beware of me !
Threads are stripped, ship is sinkin’…
Greetz: Darkman/29A
Super/29A
Billy Belcebu/DDT
and all other 29Aers…
Special greet:
Arthur Rimbaud
New milenium is knockin on the door…
New generation of viruses is here, nothing promised, no regret.
While infecting the virus runs seven threads from its main procedure. Each thread performs only limited set of actions and passes control to next thread: one thread checks system conditions and enables second thread that searches for files, then third thread checks the file structure, then next thread writes the virus code to the file, e.t.c.
To get access to Windows Kernel32 functions the virus scans victim files for GetModuleHandleA and GetModuleHandleW imported functions. In case no these exports found, the virus does not affect the file. Otherwise is stores functions’ addresses and uses them in its installation routine.
Related Posts