Details
Win95.Jacky.1440

It is a harmless nonmemory resident parasitic Win95/NT virus 1440 bytes of length. Being executed, the virus scans Win95/NT kernel and gets undocumented addresses of system file access function (see the list below). Then it searches for NewEXE Portable Executable (Win95 and NT) files and writes itself to the end of the file. The virus aligns the file length to the section, so the file lengths grows more that 1440 bytes while infection.
This is the first known Win95/NT parasitic virus that does not add a new section to the file - while infecting a file the virus writes itself to the end of the file, increases the size of last section in the file, and modifies characteristics of this section. So, only the entry point address, size and characteristics of the last section are modified in infected files.
This is also first known to me Win95/NT infector that did work on my test computer (Windows95) without any problem. I did not try it under NT.
The virus contains encrypted strings, a part of these strings are names of system functions that are used during infection:
KERNEL32 GetModuleHandleA GetProcAddress
*.EXE
CreateFileA CreateFileMappingA CloseHandle UnmapViewOfFile
MapViewOfFile FindFirstFileA FindNextFileA FindClose
SetFileAttributesA SetFilePointer SetEndOfFile SetFileTime
To My d34d fRi3nD c4b4n4s..
A Win/NT/95 ViRuS v1.00.
By: j4cKy Qw3rTy / 29A.
jqw3rty@cryogen.com

Related Posts

This entry was posted on Wednesday, July 30th, 2008 at 11:50 pm and is filed under Virus Threats.