Win95.Dupator.150
Details
Win95.Dupator.1503
This is a harmless memory resident parasitic Win32 virus. It infects Win32 PE EXE files and also infects KERNEL32.DLL Windows system files. The virus does not manifest itself in any way. Because of a bug, the virus does not work on WinNT machines.
While infecting a file, the virus creates a new PE section at the end of the file and writes its code to there. In the case of applications, the virus then modifies a program’s start-up address, and in the case of KERNEL32.DLL, the virus patches the export table (see below). The virus section in infected files has the “DUPATOR!” name, and this string may be used for manual detection of the infected files.
When an infected program is run, the virus takes control and infects the KERNEL32.DLL file. To do this the virus copies this file from the system Windows directory (where this file is located by default) to the Windows directory, for example:
WINDOWS\SYSTEM\Kernel32.Dll -> WINDOWS\Kernel32.Dll
WINNT\SYSTEM32\Kernel32.Dll -> WINNT\Kernel32.Dll
and infects this copy. While infecting, the virus patches the KERNEL32.DLL Export table so that the GetFileAttributesA function points to the virus code in the infected KERNEL32.DLL file. The virus then returns control to the host program and is not active anymore.
The virus infection routine is then activated only when an infected KERNEL32.DLL is loaded into the Windows memory (upon the next Windows start-up). The GetFileAttributesA function points to virus code, so the virus does not need to perform any additional actions to stay in the Windows memory - it stays memory resident as a part of KERNEL32.DLL and hooks the file-attributes reading routine. When this call is performed by any applications, the virus infects corresponding file in case it has PE EXE format.
Related Posts