Name: Win95.Markj.82 Category: Viruses Description: Details Win95.Markj.826 This is a Windows 95 memory resident parasitic virus. When an infected file is executed, it copies itself to the cave in Windows kernel (VMM data), hooks IFS API and infects PE executable files that are opened. While infecting the virus creates new section named "MarkJ_I" at the end of the file, writes its code to there, and patches PE header with 46-bytes entry routine. When an infected file is executed, this entry routine takes control and passes it to virus main routine. The virus uses a trick to be executed in Ring0 to be able to intercept IFS API. It patches PE header so that main virus code it loaded into not used block of Windows VMM data at the address C0000000h. Windows95 does not protect this block, so it is possible to write to that area and moreover to load section of PE executable file, and the virus uses this feature of Windows95 security. This is experimental "semi-virus" because it infects only files that have COM file name extension and Portable Executable internal file format. There were no such files found in standard Win32 applications, so one has to rename EXE files to COM to spread the virus. On June 25th the virus displays the system error box with the text inside: Happy Birth Day to Mark J From Murkry OK