Home / malware Win32.Klniber
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Klniber.
Explanation :
The virus starts by decrypting its code. It then gets the address where kernel32 is loaded in order to find the addresses of functions it needs for the infection process.
First, the virus creates a separate thread where the search for executable files will take place. On the main thread the main application will run.
It then starts searching for all executables in the current directory. If the file has a size between 10kb and 195 kb and has the checksum(set by the compiler) to 0, it starts the infection.
It first patches the entry point. It extracts 7 bytes from the entry point, saves them to the end of the infection code and inserts some instructions that will redirect the flow of the program to the virus. It then modifies the infection code so the file that is going to be infected will be able to run the original program.
Using a random number, the virus crypts the infection code and reconstructs the decryption routine so the file that is going to be infected will be able to decrypt the virus.
Finally the virus appends the code to the executable found.
The virus only infects files from the current directory.Last update 21 November 2011
