Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win95/Zmorf

This is a virus family attacking files PE for Windows 95 and 98. It is made interesting especially by its polymorphic code. The virus in the attacked file is encrypted and is formed by mutually interconnected isles of code. Upon execution they create the decoded virus body on stack. The last isle takes care for activation of the decoded virus. Of course, individual isles are polymorphic, of different length and written so that their detection will be as difficult as possible. But method of preventing detection like this takes its toll - the length of code being added to the attacked program can sometimes be more than 30 Kb. It seems that this is something no one minds in era of Windows.

Win95/Zmorf.2784
To get to the authorisation level of the system core - to RING 0 - the virus uses a known trick. It installs itself as a system controller of the VxD type (that is why it does not function under Windows NT) controlling two system events – it introduces a function for identification of itself, whether it already is resident in memory, and it services approach to files that it continuously attacks. In the virus body is the text "KME.Z0MbiE-4.b"indicating that the author of the virus is a Russian programmer known under the nickname Zombie.

Win95/Zmorf.5200
This variant actively fights against the resident part of the anti-virus system AVP – the program AVP Monitor. It deactivates the program in memory. The virus is interesting also by the fact that it is present in the attacked computer memory in two forms – as a VxD controller and as a system process. When an infected file is run the virus body is generated in the container and the virus is installed into the system. The virus is installed into the memory as a VxD controller and it has the same functions as its shorter variant. In addition the file RUNDLL16.EXE is copied into the Windows system directory. The virus registers the file in the system registry and by doing so it ensures its activation upon each system run. The process is not visible and its task is vicious. After certain interlude it “wakes up” and forces the part of the virus, which is present in the system as VxD, to attack EXE files on all accessible disks from C: to Z:.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.