Virus Database

Win95.Spaces.1245

Description Win95.Spaces.1245

It a dangerous memory resident parasitic Windows virus. It replicates under Win95/98 only and infects Win32 executable files (PE EXE - Portable Executable). When an infected file is run, the virus installs itself into Windows memory, hooks disk file opening and infects them. While infecting the virus writes itself to the end of the file into the last file section by increasing its size.
On the June 1st the virus corrupts the MBR of the hard drive and halts the computer. The virus erases the MBR loader's code and patches the Disk Partition Table so that there is just one partition listed, and it points to the MBR sector, i.e. points to itself - the partition table loops to itself. This way of corruption is very dangerous: most of present DOSes (including MS-DOS) halts while loading - they go to unlimited loop while looking for the last disk partition. As a result the data on the disk are not destroyed, but disk is not accessible ever while loading from floppy drive. (The AVP package is distributed with DOS floppy disk that does not have this problem: it loads DOS with no side effects, brings the DOS prompt line, and disk then can be recovered with any disk editing utility)
While corrupting the MBR sector the virus overwrites it by direct writing to the hard drive controller's ports and bypasses BIOS anti-virus protection. This routine has a bug and in some cases (depending on the system configuration) the virus causes the "General Protection Fault" error message, and this saves the MBR.
The virus was named "Spaces" because is uses two spaces to detect its copy in the Windows memory (these spaces are returned by a "are-you-here?" virus function). By two spaces the virus also separates infected and not infected files - the virus writes them to the PE header to the reserved field.
The virus can be manually detected by the text string that presents at the end in infected files:
ERL

Tech notes
The virus installation procedure and some other routines are very closed to the "Win95.CIH". It seems this virus author used the "Win95.CIH" code as a base knowledge. The virus installs itself to the Windows kernel as a VxD driver: it jumps from the application Ring3 level to the system kernel Ring0 by patching the protected mode Interrupt Description Table, then allocates a block of system (VxD) memory, copies its code to there, intercepts the IFS API Windows calls, returns back to the Ring3 level and jumps to the host program's code. These routines are very closed to "Win95.CIH" virus. Other routines are not.
To detect its copy in the Windows memory the virus also hooks the IFSMgr_Get_Version Windows VxD function. The virus detects its copy by this call with AX=2020h (two spaces), the "resident" virus copy returns DEADh in AX register.

Check other viruses! Be aware! Use Antiviral Software

Angel.1000.a

Description Angel.1000.a

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. On November, 29th it displays the message in Russian.

Angel_2 Family

Description Angel_2 Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and writes itself to the end of COM- and EXE-files.


Angel_2.661
It hits the files that are executed. The virus checks the code of the programs that are executing, and in some cases patches that code (to disable some anti-virus scanner?). The virus contains the internal text string:
v6 Angel




Angel_2.1571
It is an encrypted virus. It hits the files that are accessed. The virus has the bug and can infect data files as COM ones.

Home