My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win95.Padania.A

VERY LOW
VERY LOW
573

Symptoms

        This is a Windows 95/98 file infector. If infected you will notice an increase in size of executable and a new section named "Padania " added at the end of infected executable files.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Mihai Cimpoesu, Virus Researcher

Technical Description:

        This is a proof of concept file infector virus that takes advantage of a Windows 95/98 vulnerability that enables viruses to copy their code at offset 0x1000 starting from address 0xC0000000 in the kernel space. After installing itself it has the behavior of a TSR (Terminate and Stay Resident) hooking VxD functions to intercept all disk activity in the system. When accessing a executable file (execute or just list the files in a directory) the Virus gains control and infects this file.

        As for file infection the virus can actually infect the file in three similar ways, depending on the file structure. If the victim doesn't have a .reloc section, then the virus will just add a new section and put the EIP in PE to point on it. If the victim has a .reloc section the virus will overwrite this section with its code and change the PE header so it doesn't think anymore about the fix-up section.
        After this the virus will have two ways of gaining control to that position. One is the simple to change the EIP in the PE header, while the second is to put a JMP from the body of the program to the virus.
        To find a suitable position where to put the JMP the virus will use the original .reloc section that contains useful data to find suitable instructions.  The virus will put the JMP near the original EIP, so it is very probable it will be executed (thus putting the JMP in a random position should not activate the virus too often).
        By overwriting the .reloc it is very probable that the filesize of the infected file won't change (very often the dimension of the .reloc is anyway bigger then the virus length) thus making this also a sort of stealth add-on.