Details
Win95.DarkSide

It is not a dangerous nonmemory resident parasitic Win95 virus. It searches for PE EXE files, then writes itself to the end of the file: increases the size of last section, writes its code to there and modifies the entry point address. To get access to Windows file access function the virus scans Win95 Kernel32 internal formats. To detect already infected files the virus saves the “LT” string to the checksum field in DOS stub header.
On March 9th the virus displays the MessageBox:
DarkSide
Nothing Going to
Save you From a Love
that’s Blind
Slip to the
DarkSide
and Cross that Line
March 9, 1986

The virus also contains the text that contains names of functions used by the virus:
CreateFileA _lclose ReadFile FindFirstFileA FindNextFileA WriteFile
SetFilePointer LoadLibraryA GetProcAddress USER32 MessageBoxA

Related Posts

This entry was posted on Monday, July 28th, 2008 at 7:50 pm and is filed under Virus Threats.