W32/Bika

description-logoAnalysis

  • Virus is 32bit and viral body is 1906 bytes
  • When virus is run, it runs memory resident and attempts to identify 32bit files – this is done by examining files for the presence of “MZ” as the first two bytes of files accessed on the infected system – the virus then attempts to identify if the target file contains a PE header, designated as “PE” – one the file is determined to be 32bit, it is then targeted by the virus
  • Virus appends its code to target EXE files and adjusts the file entry point to point to the infectious code
  • Virus locates the Windows folder and infects files in that location first before infecting files in other locations
  • Virus may store the path and filenames of files which reside on the target system as UNICODE within infected files

Telemetry logoTelemetry