Summary of W32/Busm.1445
||1 Jan 2002
|Infection Method:||Hooks file system and waits for a call to it.
|Busm.1445, also known as Spaces.1445.a and Spaces.gen is a simple resident file infector, and only infects executable files(.EXE). The virus uses system priviliges to stay resident.
When the operating system tries to open a file the virus takes control and infects it, returning the control then back to the operating system.
The virus can only work in Windows 9x operating systems due to the fact that the method it uses to get system priviliges does not work in other Windows operating systems.
|Algorithm of the virus has 4 basic steps :
Step 1 : "Get System(Ring zero) priviliges"
First it start with a common "trick" to get ring zero priviliges in Windows 9x systems, this is only possible in Windows 9x systems and is critical for the virus to function.
Step 2 : "Going resident"
Next it checks if it is resident already, if not then with ring zero priviliges it hooks a VxD API function called GetVersion for the purpose of cheking if it is resident already, it will then proceed to allocate memory and copy itself the allocated memory, and last hook itself to the file system.
Step 3 : "Processing calls to file system"
This step is only activated when a call is made to the file system, when a call is made to the file system the virus then checks if the file being processed has the extention of .EXE, a PE header structure and that it has not been infected already.
Step 4 : "Infecting"
Last it analyses the PE header of the "victim" and makes necessary modificaions to it, marks the file as infected, appends itself at the end of "victim" and finally sends the call back to the operating system.
Antoni Marcin Nawrocki / Þröstur Snær Eiðsson FRISK Software international