Home / malware Win32.Pal.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Pal.A is also known as Friendly, Patriot.
Explanation :
The virus is a file infector for PE-executable files. It only infects the files that have the extension ".exe" and the IMAGE_DOS_HEADER.e_lfarlc set to 40h.
It's signature can be easly seen due to a * that the virus places in front of the PE signature in the infected files.
It does not infect the files that begin with the following strings : "DRWE", "SPID", "INST", "SETU", "KAV".
The virus has a garbage generating routine witch changes it's shape and size on every new infection.
It hides itself in the last section available. It may overwrite data if not enough space available.
The virus comes encripted with a random key. The infection starts imediatly after the damaged program is executed when the virus creates a new thread for infection for each accesible drive and continues as long as the program infected runs. Inbetwen the infection of two consecutive files, the virus waits for 20 seconds. On infection it may damage some executable files.
The virus creates an .html document on the available floppy drive containing his name. The floppy drive is accesed every 30 seconds. It also put's his name in the TitleBar of every window that is visible at the moment. On every 25 of January the virus exchanges periodicaly the function of the mouse buttons
The virus doesn't delete nor change the function of other programs.Last update 21 November 2011