Virus.Win9x.Yobe

Class Virus
Platform Win9x
Description

Technical Details

This is a dangerous memory resident parasitic Windows virus. It uses system
calls that are valid under Win95/98 only, and can’t spread under NT. The
virus also has bugs and often halts the system when run. Despite this,
the virus has very unusual way of spreading, and it is interesting enough
from a technical point of view.

The virus can be found only in two files: “SETUP.EXE” on floppy disks and
“SETUP .EXE” in the root of the C: drive (there is one space between the file
name and “.EXE” extension).

On floppy disks, the virus uses a trick to hide its copy. It writes its
complete code to the last disk sectors and modifies the SETUP.EXE file to
read and execute this code.

The infected SETUP.EXE file looks just as a 512-byte DOS EXE program, but it
is not. While infecting this file, the virus uses a DirII virus
method: by direct disk sectors read/write calls, the virus gets access to
disk directory sectors, modifies the “first file cluster” field and makes
necessary changes in disk FAT tables. As a result, the original SETUP.EXE
code is not modified, but the directory enters points to the virus code instead
of the original file clusters.

When the infected SETUP.EXE is run from the infected floppy disk, this DOS
component of the virus takes control, reads the complete virus body from
the last sectors on the floppy disk, then creates the “C:SETUP .EXE” file,
writes these data (complete virus code) to there and executes. The virus
installation routine takes control then, installs the virus into the system
and disinfects the SETUP.EXE file on the floppy drive.

While installing itself into the system, the virus creates a new key in
the system registry to activate itself upon each Windows restart:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun 
  YOBE=""C:SETUP .EXE" YOBE"

The virus then switches to the Windows kernel level (Ring0), allocates a
block of system memory, copies itself to there and hooks disk-file access
Windows functions (IFS API). This hook intercepts file opening calls, and upon
opening the SETUP.EXE file on the A: drive, the virus infects it.

The virus has additional routines. First, one of them looks for “AVP Monitor”
and “Amon Antivirus Monitor” windows and closes them; the second one,
depending on the random counter, displays a line with the words “YOBE” to the
left side of the screen.