My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Pal.A

MEDIUM
LOW
aprox. 8k
(Friendly , Patriot)

Symptoms

Increased size of some executable files with appreciatively 8K.
Increased system processor usage, and periodic access to floppy drive


Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Cristi Lungu, virus researcher

Technical Description:

The virus is a file infector for PE-executable files. It only infects the files that have the extension ".exe" and the IMAGE_DOS_HEADER.e_lfarlc set to 40h.
It's signature can be easly seen due to a * that the virus places in front of the PE signature in the infected files.
It does not infect the files that begin with the following strings : "DRWE", "SPID", "INST", "SETU", "KAV".
The virus has a garbage generating routine witch changes it's shape and size on every new infection.
It hides itself in the last section available. It may overwrite data if not enough space available.

The virus comes encripted with a random key. The infection starts imediatly after the damaged program is executed when the virus creates a new thread for infection for each accesible drive and continues as long as the program infected runs. Inbetwen the infection of two consecutive files, the virus waits for 20 seconds. On infection it may damage some executable files.

The virus creates an .html document on the available floppy drive containing his name. The floppy drive is accesed every 30 seconds. It also put's his name in the TitleBar of every window that is visible at the moment. On every 25 of January the virus exchanges periodicaly the function of the mouse buttons

The virus doesn't delete nor change the function of other programs.