Class Trojan-Banker
Platform Win32

Technical Details

It is a harmless nonmemory resident parasitic Win32-virus. It searches for
Windows32 PE executable files in the current directory and infects them.
The virus works under both Windows 95/98 and Windows NT.

When an infected program is run, the virus receives control and searches
for Windows32 API addresses. First of all it scans KERNEL code and looks
for GetProcAddress function address. When this function is located, the
virus by using this address gets pointers to nine other functions:

CreateFileA, CreateFileMappingA, MapViewOfFile, CloseHandle,
FindFirstFileA, FindNextFileA, FindClose, UnmapViewOfFile, SetEndOfFile

By using these calls the virus then searches for files and infects them.
While infection the virus incorporates its code into the middle of the file
to the end of first section. The virus looks for gap in the virtual image
of file: if there is enough free space between first and second section in
virtual image (addresses in the memory, not in disk file – the virus avoids
overlapping sections on loading file into the memory), the virus shifts the
rest of the file down by 1024 bytes, writes its code into this cave,
modifies entry point address and fix section headers.

The virus has a bug that causes double infection. Despite this, infected
files work without any problem.

The virus contains the text string that gives its name:


Find out the statistics of the threats spreading in your region