Details
Win95.Yabran

It is not a dangerous memory resident parasitic Windows virus. It spreads under Windows95/98 and infects PE EXE files. The virus is not able to spread under WindowsNT. In December on all odd days till 23rd (1st, 3rd, 5th, 7th, all 23rd) and on 24th the virus displays the message:
######$$$$ VIRUS YABRAN $$$######
CREIAN QUE ESTABA MUERTO NO???…JAJAJAJA.
^^by SoPinKy. Argentina.^^ FELICES FIESTAS

While installing into Windows memory the virus jumps from application level to system one (from Ring3 to Ring0). To do that the virus processes system protect mode desctiption tables, gets necessary info from there and modifies them. After that the virus is run as a system driver and is able to access low-level system functions such as VxD calls.
The virus then allocates a block of system memory, copies its code to there, hooks IFS API calls and returns control to host program. The virus intercepts only one file function – file opening. On such calls the virus compares file name extension with “EXE”, opens file, parses its internal structure, appends its code to the end of last file section and modifies file header including address of entry point.

Related Posts

This entry was posted on Saturday, August 9th, 2008 at 3:50 am and is filed under Virus Threats.