My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Klniber

LOW
MEDIUM
2.5 kb

Symptoms

Increase size of executable (approximately 2.5 kb);

Some executables may crush

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Razvan Benchea, virus researcher

Technical Description:

    The virus starts by decrypting its code. It then gets the address where kernel32 is loaded in order to find the addresses of functions it needs for the infection process.       

First, the virus creates a separate thread where the search for executable files will take place. On the main thread the main application will run.

            It then starts searching for all executables in the current directory. If the file has a size between 10kb and 195 kb and has the checksum(set by the compiler) to 0, it starts the infection.

It first patches the entry point. It extracts 7 bytes from the entry point, saves them to the end of the infection code and inserts some instructions that will redirect the flow of the program to the virus. It then modifies the infection code so the file that is going to be infected will be able to run the original program.

Using a random number, the virus crypts the infection code and reconstructs the decryption routine so the file that is going to be infected will be able to decrypt the virus.

            Finally the virus appends the code to the executable found.

            The virus only infects files from the current directory.