Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spaces.1445.A

Aliases: W95/Spaces.1445, Win95:TwoSpaces, PE_SPACES.1445,W95/Spaces.GR, Win95.Spaces.1633, W32/Busm.1445

This is a virus written in assembler operating in the environment of the operating system Windows 95. It attacks files of the format Portable Executable with the extension .exe and it increases their length by o 1445 bytes.
When the infected file is executed it runs as first the virus code located in the last section. In the PE heading of the attacked file on the offset 0x4C there are characters which have the ASCII code 32. This code represents the space and that is why one of the virus names is Twospaces.
When the virus is executed it is finding out whether there already is its active copy in the memory. It does so by means of the function VxDCall IFSMgr_Get_Version. If after calling this function with the registry AX set to the value 2020h the function returns in AX the value 0DEADh the virus supposes that it has already been installed in the memory and does not get installed for the second time.
After that the virus redirects calls on the file system to itself and checks execution of files with the extension .exe. These files are infected when they are started.
The virus contains an activating routine which is started on June 1st. This routine modifies the disk partition table located in Master Boot Record so that it points at itself. On some MS-DOS versions it causes that the computer is not able to load the operating system.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.