Virus.Win32.Maya.4106

tag:Executable   File   and   Boot   Viruses  

0 0

To get access to Windows functions the virus scans KERNEL32 export table, gets the GetProcAddress function address and then by using this value gets addresses of necessary functions:

KERNEL32.DLL:

GetModuleHandleA GetProcAddress CreateFileA WriteFile GetFileSize
CreateFileMappingA MapViewOfFile UnmapViewOfFile CloseHandle
FindFirstFileA FindNextFileA FindClose SetFilePointer SetEndOfFile
GetCurrentDirectoryA SetCurrentDirectoryA GetFileAttributesA
SetFileAttributesA GetSystemTime GetWindowsDirectoryA

USER32.DLL and ADVAPI32.DLL:
RegOpenKeyExA RegSetValueExA MessageBoxA SystemParametersInfoA

The "per-process resident" code of the virus scans current (host) process imports table and hooks following Windows file access functions, if the process imports them:

MoveFileA CopyFileA CreateFileA DeleteFileA SetFileAttributesA
GetFileAttributesA GetFullPathNameA CreateProcessA

The virus also contains the text strings:

To Aparna S. : Forever in love with you...
AYAM
IAHS
Control Panel\Desktop
TileWallpaper
WallpaperStyle
SLAM.BMP

©Virus-Encyclopedia.com All Rights Reserved.