Virus.Win32.Kenston.1895.a
| Alert Level : | High |
| Discovered: | Mar 07 2000 |
| Tag: | Executable File and Boot Viruses |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
It is not a dangerous nonmemory resident parasitic Win32 virus. It is encrypted with lite method (XOR-bytes loop). When an infected programs runs, the virus takes control, searches for PE EXE files in the subdirectory tree on the current disk, then writes itself to the end of the file: increases the size of last section, writes its code to there and modifies the entry point address. To get access to Windows file access function the virus scans Windows Kernel32 internal formats. To detect already infected files the virus saves the "a" stamp to the file's DOS stub header.
The most part of virus is compatible with all Win32 versions: Win32/95/NT, but the infection routine has a minor bug. Because of this bug the majority of infected files cannot be executed under WinNT.
The virus contains the text:
Boles and Manning are arrogant facists. They have no computer sk1llz and KENSTON HIGH SCHOOL's computers are 0wn3d. I AM BACK KOONS YOU MOTHERFUCKER dowN wiTh KenSTON..... yOU tRIED tO rID yOUrSELf oF mE BefoREbUT fAILED HAHAHAHAHAHAHAHAHAHAHAHAHAHAHA
The virus also contains the string that contains names of Windows functions used by the virus:
LoadLibraryA GetProcAddress FindFirstFileA FindNextFileA FindClose SetFileAttributesA SetFileTime CreateFileA ReadFile WriteFile SetFilePointer CloseHandle SetCurrentDirectoryA GetCurrentDirectoryA
0
Removal Virus.Win32.Kenston.1895.a instructions:
0
Need help? Live computer support via remote at SupportSpace |
