Details
Win95.Lizard.1967

It is a very dangerous Win95/DOS virus. It infects DOS EXE files and creates VxD (Win95) droppers, it is encrypted in DOS EXE files. Depending on the system timer the virus erases EXE files instead of infecting them. The virus was named after the text string found inside of virus code:
Lizard by Reptile

When an infected DOS EXE file is executed, the virus creates its dropper in one of Windows directories:
c:\windows\system\iosubsys\lizard.vxd
c:\win95\system\iosubsys\lizard.vxd
c:\windows.000\system\iosubsys\lizard.vxd

If there are no such directories, the virus returns to the host program without any harm to the system. Otherwise Windows95 gets a virus dropper - VxD (EXE LE) file in auto-run directory SYSTEM\IOSUBSYS
When Windows is loading, it runs all VxD drivers from its auto-run directories. As a result the virus takes control and installs itself into the system (memory resident). It hooks Interrupt 21h V86 chain and intercepts five calls: Execute, Create, Open, Close and FindFirst. On any of these calls the virus searches for DOS EXE files in the current directory and writes itself to the end of the file.

Related Posts

This entry was posted on Thursday, July 31st, 2008 at 11:50 am and is filed under Virus Threats.