Name: Win95.K32.101 Category: Viruses Description: Details Win95.K32.1012 This is a benign memory resident parasitic virus. It infects the Windows95 system memory, and writes itself to the end of PE EXE files. On February 19th, it displays the following MessageBox: nIgr0_lives_here!!!! Virus K32 por nIgr0 all "Hazlo o no lo hagas pero no lo intentes" When an infected file is executed, the virus scans the KERNEL32.DLL data, obtains necessary Windows functions addresses (CreateFile, SetFilePointer, ReadFile, WriteFile, CloseHandle, CreateProcessA, GetModuleHandleA, and GetProcAddress), copies itself into unused data in the Windows kernel and hooks CreateProcess function. To hook this function, the virus patches a Windows kernel with a Jmp_Virus instruction. While infecting a file, the virus increases the size of its last file section, and writes itself to there.