Subscribe0 0
This is a harmless, per-process memory resident parasitic Win32 virus that is encrypted. It infects Win32 EXE applications (PE EXE files) only. While infecting, the virus creates a new section with the ".Positro" name at the end of the file, and writes itself there.
The virus does not run itself in any way. The virus contains the following text string:
Virus : Win32.Positron_NGVCK Author : Positron
Upon being run, the virus searchs for .EXE files in the current, parent, and Windows directories, and infects PE EXE files in there. Then the virus scans directories on C: drives and infects files in there as well.
The virus then hooks file-access Windows functions and the "Change Directory" function, and returns control to the host program. While the program is active, the virus intercepts the following:
file access: infects .EXE, .CPL, and .SCR files being accessed
changing directory: looks for .EXE files here and infects them.
Hot Articles