FRISK Software International


Summary of W32/Busm.1445
Alias:Spaces.1445.a, Spaces.gen
Length: 1445 bytes
Infectable objects: Executables
Discovered: 1 Jan 2002
Risk Level: Low
Infection Method:Hooks file system and waits for a call to it.
 
Jump to:
Brief description
Technical description

Brief Description
Busm.1445, also known as Spaces.1445.a and Spaces.gen is a simple resident file infector, and only infects executable files(.EXE). The virus uses system priviliges to stay resident.

When the operating system tries to open a file the virus takes control and infects it, returning the control then back to the operating system.

The virus can only work in Windows 9x operating systems due to the fact that the method it uses to get system priviliges does not work in other Windows operating systems.



Technical Description
Algorithm of the virus has 4 basic steps :


Step 1 : "Get System(Ring zero) priviliges"
First it start with a common "trick" to get ring zero priviliges in Windows 9x systems, this is only possible in Windows 9x systems and is critical for the virus to function.

Step 2 : "Going resident"
Next it checks if it is resident already, if not then with ring zero priviliges it hooks a VxD API function called GetVersion for the purpose of cheking if it is resident already, it will then proceed to allocate memory and copy itself the allocated memory, and last hook itself to the file system.

Step 3 : "Processing calls to file system"
This step is only activated when a call is made to the file system, when a call is made to the file system the virus then checks if the file being processed has the extention of .EXE, a PE header structure and that it has not been infected already.

Step 4 : "Infecting"
Last it analyses the PE header of the "victim" and makes necessary modificaions to it, marks the file as infected, appends itself at the end of "victim" and finally sends the call back to the operating system.




Antoni Marcin Nawrocki / rstur Snr Eisson FRISK Software international
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is