Subscribe0 0
It is not a dangerous memory resident parasitic Windows virus. It replicates under Win32 only, but infects PE EXE files (Win32 executable) as well as DOS EXE and NE EXE (Win16). To do that the virus uses a trick that allows to infect all these types of executable files. The virus "saves" original file data in the DOS stub section by increasing its size (see more details in "Win32.Cerebrus" ) and writes its code to the end of the file as a PE executable code. In addition the virus compresses victim files so that file length does not grow while infection.
To release control to the host program the virus unpacks them to the temporary EXE file in the Windows temporary directory, executes it and then deletes.
When an infected file is executed, the virus searches and infects EXE files in the Windows root and system directories and then in the current directory. To stay memory resident the virus runs its code as a hidden process that waits for some time, then periodically scans all drives and infects EXE files on them.
On October 29th the virus crates the 29A.BMP with the text "J.Q.29A" image inside and registers it as a desktop wallpaper.
The virus contains the text:
(c) Win32.REDemption (C ver.1.0) by JQwerty/29A
Hot Articles