Win95.Sa
Details
Win95.Sab
These are nonmemory reisdent parasitic Win9x viruses. They replicate under Win95/98 only and infect PE executable files. When an infected file is executed, the virus searches for PE EXE files in the current directory only, then writes itself to the end of the file.
To access disk files the viruses scan Windows kernel, locate a “gate routine” to DOS functions (INT 21h) and then use that “gate” to call old-style DOS functions: file find, open, read and write. This method is valid for Win9x kernel only, and the viruses fail to spread under WinNT.
Sab.512
The virus marks the infected files with the “w512″ stamp in the PE header to avoid reinfection. The virus has bugs and often corrupts files while infecting them. Overall, it is a Silly and Buggy virus, that it why it was named “Sab” (that was the first known virus version, and that name was kept whole family).
Sab.753
This virus seems to be bugs-free, and infected files stays not corrupted.
The virus does not manifest itself in any way. It contains the text strings:
When the hour comes you’ll have to pay
Pay with your lives, Watch your backs!
It’s time for holocaust, holocaust, HOLOCAUST 2000!
Win9x.H0l0caust 2000! Brought to you from System33 security!
Copyright (c) DemenTed of System33 security
Related Posts