Name: Win95.Caw.126 Category: Viruses Description: Details Win95.Caw.1262 This is a dangerous memory resident parasitic Win95/98 virus. When an infected program starts, the virus gets control, switches itself from application level (Ring3) to Windows kernel (Ring0), allocates a block of Windows memory, hooks file-access functions (IFS API) and stays "memory resident" as a system VxD driver. The virus then intercepts file opening function and writes itself to the end of PE EXE files that are opened. While infecting a file, the virus increases the last file section and writes itself to there. The virus has a bug, and in some cases, corrupts files while infecting them. When such files are run, they cause a standard Windows message about an error in application. The virus has two very dangerous payloads. 1. on July 7th upon each file opening, the virus erases 16 sectors at random positions on the C: drive. 2nd: if the current minutes are 0, the virus deletes the files that are being opened: WINWORD.EXE, and files with extensions: BMP, JPG, DOC, WRI, BAS, SAV, PDF, RTF, TXT. This "feature" can be "customized": if there is a file "C:AW", the virus gets "sacrificial" file names and extensions from this file, and deletes them. The name of this file was the reason for naming the virus.