Subscribe0 0
This is a dangerous per-process memory resident parasitic polymorphic Win32 virus. It searches for PE EXE files (Windows executable files) in the Windows directory and infects them. Then it stays in Windows memory as a component of the host application and infects PE EXE files that are accessed by the host application.
While infecting, the virus writes itself to the end of the file by increasing the size of the last file section. The virus uses "Entry Point Obscuring" methods, and while infecting, it does not modify a program's entry address. To receive control when an infected program is run, the virus scans a victim file body, looks for a CALL command and replaces it with "JUMP VirusEntry" code. As a result, the virus gets only when the patched file code receives control, not at the beginning.
The virus has a bug, and often corrupts files while infecting them.
The virus avoids several anti-virus file infections, and it detects them according to the two first letters in the file name: AV*, AN*, DR*, ID*, OD*, TB*, F-*.
On April 6th, it generates a Windows error message with the text:
ASIMOV Jan.2.1920 - Apr.6.1992
The virus also contains the text:
< The Rain Song Coded By Bumblebee/29a >
Hot Articles