Name: Win32.Hales Category: Viruses Description: Details Win32.Haless It is not a dangerous nonmemory resident parasitic Win32 virus. It does work under Win32 including WinNT. When an infected file is executed, the virus scans Windows kernel and gets addresses of necessary Windows functions, then scans the subdirectory tree on all drives in the system and infects PE EXE files that are found. While infecting the virus looks for a zero-bytes cave in PE EXE header, and writes its code to there, if there is enough space. The virus does not manifest itself in any way. It contains the text string: Infected by Win32.TechnoMix.Harmless.1 The files searching and infection routine is run as an additional process' thread. The virus runs it and returns control to the host program, and the infection thread does its work in background up to the moment the host application terminates. As a result, if the infected application stays active for long time, the virus may infect all "infectable" PE EXE files on the hard drive.