Class Virus
Platform Win9x

Technical Details

This is a very dangerous encrypted parasitic Win95 virus about 10Kb in
length. It is a direct action virus – it scans current a drive directory three times,
looks for PE EXE files there and infects them; but it does it in the background
of a host process (in process thread), and as a result, can stay in memory for
a long time up to the moment the host process is terminated, or all files on
a drive are scanned. Because of this, the virus can be classified as
per-process memory resident.

While infecting a file, the virus writes itself to the end of the file in the
last file section, increases this section size and modifies necessary PE
header fields.

To obtain addresses for file access and other functions, the virus uses an
address that is valid for Win95/98 only, and as a result, causes standard a
Windows “error in application” message when infected files are run under
other Windows versions.

In about 4 month after infecting a file, and being run on the same computer
(the virus stores the current date and computer name while infecting), the virus
runs its trigger routine. This routine gains access to a Windows desktop, and
moves icons out of the mouse cursor when the mouse cursor is being moved to the icons.
It appears as though the programs’ icons run out away from the cursor, trying to escape.

When the files are infected on the 1st, 2nd or 3rd of any month, the virus
randomly infects them with its Trojan routine. When such Trojanized files
are run in about 7 months after being infected, the Trojan routine erases
all files on the current drive, creates and randomly overwrites the WIN.COM
file with garbage or the text:

 (c) 1999 Brain & Amjads (pvt) Ltd   
 Dedicated to the dynamic memories of millions of virus 
 who are no longer with us today - Thanks
Find out the statistics of the threats spreading in your region