Kaspersky Lab, a fast-growing international anti-virus software development company, announces the discovery of a new computer virus Win32.Santana, which has been distributed via the Internet and e-mail under the name of NOCIH.EXE, pretending to be a universal cure for the "Chernobyl" virus.
Detection and disinfection routines for Win32.Santana virus have been included in the emergency update for AntiViral Toolkit Pro (AVP). The update is available on Kaspersky Lab's WEB site on www.kasperskylabs.com.
"This virus poses no serious threat to computer users. Nevertheless we would like to warn about the possibility of the emergence of more dangerous malicious software, that gives itself out as a vaccine for "Chernobyl" virus, which will be activated on April 26," said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.
Technical Details
Win32.Santana is a memory resident parasitic encrypted Win32 virus. It affects PE EXE files (Win32 executable files) by writing its code to a file end and modifying necessary PE header fields. The virus does not manifest itself in any way. It contains the text string:
Virus "SANTANA" created by Net'$ Wa$te [RespawneD EViL]
When an infected file is executed, the virus gets control, decrypts itself and calls its main routine. That routine scans the Windows kernel to get the addresses of the necessary file access functions and then checks the system environment. Under Windows NT the virus then activates a direct infection routine:
it searches for all PE EXE files in the current directory, infects them and returns control to the host program.
Under Windows 95/98 the virus scans the VxD memory area and looks for a cave (zero bytes cave = unused area). The virus then copies its code to that cave, switches its process to kernel mode (Ring0), hooks SetCurrentDirectoryA Windows function (selecting a new directory) and stays in the system memory as a component of the Windows kernel. On selecting new directory the virus runs its find-and-infect routine. Where there is no cave of a reasonable size, the virus activates the direct infection routine in the same way as for Windows NT.
Share
Kaspersky Lab
Kaspersky Lab Ltd. is a fast growing international privately owned anti-virus software development company with offices in Moscow (Russia), Cambridge (UK) and Johannesburg (South Africa). Founded in 1997 the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide.