Name: Win95.Dod Category: Viruses Description: Details Win95.Dodo It is not a dangerous memory resident parasitic virus. It replicates under Win9x systems only. Known virus version does not infect WinME systems because of a bug. The virus stays in Windows memory as a component of KERNEL32.DLL system library, patches KERNEL32 addressed to install its hook on file opening calls, and then infects PE EXE and DLL files that are opened. While infecting a file the virus writes itself to "caves" in file body, if there are such ones. The infection method looks similar to the "Win95.CIH" virus: the virus body is split to blocks that are stored at the end of PE sections, if there are "caves" of enough size. Starting from 2001 on 1st day of each month the virus sets the system date to 1981. The virus contains the text strings: Dodo 1.2