Subscribe0 0
To get access to Windows functions the virus scans KERNEL32 export table, gets the GetProcAddress function address and then by using this value gets addresses of necessary functions:
KERNEL32.DLL:
GetModuleHandleA GetProcAddress CreateFileA WriteFile GetFileSize CreateFileMappingA MapViewOfFile UnmapViewOfFile CloseHandle FindFirstFileA FindNextFileA FindClose SetFilePointer SetEndOfFile GetCurrentDirectoryA SetCurrentDirectoryA GetFileAttributesA SetFileAttributesA GetSystemTime GetWindowsDirectoryA
USER32.DLL and ADVAPI32.DLL:
RegOpenKeyExA RegSetValueExA MessageBoxA SystemParametersInfoA
The "per-process resident" code of the virus scans current (host) process imports table and hooks following Windows file access functions, if the process imports them:
MoveFileA CopyFileA CreateFileA DeleteFileA SetFileAttributesA GetFileAttributesA GetFullPathNameA CreateProcessA
The virus also contains the text strings:
To Aparna S. : Forever in love with you... AYAM IAHS Control Panel\Desktop TileWallpaper WallpaperStyle SLAM.BMP
Hot Articles