Subscribe0 0
It is not a dangerous parasitic NewEXE (PE) virus. It searches for EXE files, checks the files for PE signature, then creates in EXE file new section named ".vlad", and writes its code into that section. This is the first known virus infecting PE EXE files (Win95).
While infecting a file that virus uses calls to functions GetDir, SetDir, FindFirst, FindNext, OpenFile, LSeek, Read, Write, and CloseFile. The virus does direct calls to KERNEL32 code without references to KERNEL32.DLL addresses, as it is described in Win32 SDK documentation. The virus checks the KERNEL32 code at the specific addresses, and then uses the direct calls to these addresses. If there is no such code in KERNEL32, the virus does not perform any action, and returns to the host program.
While searching for files, and infecting them the virus gets the current directory, searches for .EXE files, and checks them for PE signature. Then the virus increases NumberOfSections field in PE header, writes into the file new Section Header that describes new Section in the file, and writes itself to the end of the file.
While executing the virus infects up to 3 files. It looks for .EXE files in parent directories if there are no more .EXE files in the current one. Before return to the host program the virus restores the current directory.
The virus checks the system date, and on 31st displays the message box with the header:
Bizatch by Quantum / VLADand the message inside of the box:
The taste of fame just got tastier! VLAD Australia does it again with the world's first Win95 Virus From the old school to the new.. Metabolis Qark Darkman Automag Antigen RhinceWind Quantum Absolute Overlord CoKeThe virus also contains the text strings:
.vlad Please note: the name of this virus is [Bizatch] written by Quantum of VLADThe virus is not bugs-free, and in some cases Windows95 displays an error message during execution of infected EXE files.
Hot Articles