Virus.Win32.Devir

Class Virus
Platform Win32
Description

Technical Details

This is a per-process memory resident parasitic poly-morphic Win32-virus. The virus infects PE EXE files that have .EXE filename extensions. When run, the virus infects files in current directory only.

The virus also stays in the system memory as a component of the infected host program, gains access to KERNEL functions and intercepts 10 of them: file opening, copying, moving functions, etc. When a PE EXE file is accessed by these functions, the virus infects it. As a result, the virus will infect all PE EXE programs that are accessed by infected the host program, and the virus will be active until the moment the host program exits. The virus also hooks, selecting a new directory function, and infects PE EXE files in there.

The PE EXE infection method is a complex and is similar to the Win32.Driller virus. The block of host file code that is overwritten by the virus poly-morphic routine in some cases may be also compressed during infection.

The virus also contains a backdoor routine that opens an Internet connection, waits for its author’s instructions and then follows them: sends/receives files, executes programs, reports system information, etc.

The virus contains the following “copyright” text:

Intruder v.0.1 by Deviator//HAZARD