Virus.Win32.Elkern

Detect Date 04/19/2002
Class Virus
Platform Win32
Description

Elkern is a harmless encrypted resident parasitic Win32 virus.

It searches recursively for Win32 EXE applications (PE EXE files) with .SCR and .EXE extensions in the current directory on fixed and network drives and all available network resources, and infects them.

The virus doesn’t infect files if they have tem32dllcac(part of System32dllcache) or rary Inter (part of the Temporary Internet Files) in their full path.

While infecting the virus writes itself to the file in separate blocks, similar to the Win95.CIH infection routine.

The virus has a bug that may cause double infections. Despite this infected files work without any problem.

The virus stays in memory, and infects all active processes that don’t have explorer in their name. It copies a part of its body into the process and then intercepts DispatchMessageA and DispatchMessageW functions. When one of these functions is called, the virus activates its copy into the current process.

The Elkern virus doesn’t reveal itself overtly in any way.