Name: Win32.Santana.110 Category: Viruses Description: Details Win32.Santana.1104 Win32.Santana is a memory resident parasitic encrypted Win32 virus. It affects PE EXE files (Win32 executable files) by writing its code to a file end and modifying necessary PE header fields. The virus does not manifest itself in any way. It contains the text string: Virus "SANTANA" created by Net'$ Wa$te [RespawneD EViL] When an infected file is executed, the virus gets control, decrypts itself and calls its main routine. That routine scans Windows kernel to get addresses of necessary file access functions and then checks system environment. Under Windows NT the virus then calls direct infection routine: it searches for all PE EXE files in the current directory, infects them and returns control to the host program. Under Windows 95/98, the virus scans the VxD memory area and looks for a cave in there (zero bytes cave - not used area).. The virus copies its code to that cave, switches its process to kernel mode (Ring0), hooks SetCurrentDirectoryA Windows function (selecting a new directory) and stays in the system memory as a component of the Windows kernel. On selecting the new directory the virus runs its find-and-infect routine. Where there is no cave of reasonable size, the virus calls the direct infection routine in the same way as under Windows NT.