Home / malware

PDF

Win95.Padania.A

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win95.Padania.A.

Explanation :

This is a proof of concept file infector virus that takes advantage of a Windows 95/98 vulnerability that enables viruses to copy their code at offset 0x1000 starting from address 0xC0000000 in the kernel space. After installing itself it has the behavior of a TSR (Terminate and Stay Resident) hooking VxD functions to intercept all disk activity in the system. When accessing a executable file (execute or just list the files in a directory) the Virus gains control and infects this file.

As for file infection the virus can actually infect the file in three similar ways, depending on the file structure. If the victim doesn't have a .reloc section, then the virus will just add a new section and put the EIP in PE to point on it. If the victim has a .reloc section the virus will overwrite this section with its code and change the PE header so it doesn't think anymore about the fix-up section.
After this the virus will have two ways of gaining control to that position. One is the simple to change the EIP in the PE header, while the second is to put a JMP from the body of the program to the virus.
To find a suitable position where to put the JMP the virus will use the original .reloc section that contains useful data to find suitable instructions. The virus will put the JMP near the original EIP, so it is very probable it will be executed (thus putting the JMP in a random position should not activate the virus too often).
By overwriting the .reloc it is very probable that the filesize of the infected file won't change (very often the dimension of the .reloc is anyway bigger then the virus length) thus making this also a sort of stealth add-on.

Last update 21 November 2011

 

TOP