Virus.Win32.Mental

Class Virus
Platform Win32
Description

Technical Details

This is a dangerous per-process memory resident parasitic and
polymorphic Win32 virus. The virus looks for PE EXE files with .EXE,
.SCR, and .CPL extensions in current, Windows and Windows system directories
and infects them. While infecting a file, the virus encrypts and writes its
code to the Relocation section (Fixup table – usually at the end of the
file), and the decryption polymorphic loop is written to the file middle
to the Code section.

The virus then scans the Import table and hooks file access functions (file
creating, opening, searching, moving, executing etc.). The virus’
hookers obtain a file name and run the infection routine. As a result, during
an infected application’s “life time,” the virus is active, intercepts access to
PE EXE files, and infects them.

The virus’ polymorphic generator has a very serious bug that in some cases
causes damage to infected files. As a result, these files are not
functional, and Windows displays a standard message about an error in
application when these files are run.

The virus deletes the following anti-virus data files: AVP.CRC, ANTI-VIR.DAT,
CHKLIST.MS, and IVB.NTZ. It also does not infect files that have the letter ‘V’ in
the file name as well as files (anti-virus programs) with names that begin
with: TB, SC, F-, PA, DR.

The virus has two infecting routines that are activated on the 17th of March,
June, September and December. The first routine covers the screen with
“NAZKA” placed at random positions on the screen. The second routine
displays the following message box:

 Virus NAZKA
 (c) Virus NAZKA by The Mental Driller / 29A