Details
Win95.Chimera.1542

This is a dangerous Win9x parasitic stealth virus. The virus switches its process to Windows kernel mode (Ring3->Ring0), hooks file access functions (IFS API) and stays in the system memory as Win9x driver (VxD). The virus then infects Win32 applications (PE EXE files) that are accessed.
While infecting a file, the virus writes itself to the end of the file and modifies necessary PE header fields. The virus has a bug, and in some cases, infected applications cause a standard Windows message to appear about an error in an application. The virus infects not only files with the .EXE filename extension, but any PE EXE file. As a result, many DLL, DRV and other PE files are infected (especially in the Windows system directory), as a result, the infected system in many cases cannot restart and halts with an error message.
The virus contains the following text string:
Chimera
The infected files also have an “infected ID” text string in their DOS stub:
krad

Related Posts

This entry was posted on Sunday, July 27th, 2008 at 11:50 pm and is filed under Virus Threats.