Details
Win95.K32.1012

This is a benign memory resident parasitic virus. It infects the Windows95 system memory, and writes itself to the end of PE EXE files. On February 19th, it displays the following MessageBox:
nIgr0_lives_here!!!!
Virus K32 por nIgr0 all “Hazlo o no lo hagas pero no lo intentes”

When an infected file is executed, the virus scans the KERNEL32.DLL data, obtains necessary Windows functions addresses (CreateFile, SetFilePointer, ReadFile, WriteFile, CloseHandle, CreateProcessA, GetModuleHandleA, and GetProcAddress), copies itself into unused data in the Windows kernel and hooks CreateProcess function. To hook this function, the virus patches a Windows kernel with a Jmp_Virus instruction. While infecting a file, the virus increases the size of its last file section, and writes itself to there.

Related Posts

This entry was posted on Thursday, July 31st, 2008 at 7:50 am and is filed under Virus Threats.