demig.1635
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Demig.16354
This is a harmless multipartite virus. It infects DOS, MS Windows and MS Office (Excel) files:
DOS: the virus infects COM, EXE and BAT files
Win32: PE EXE files and KERNEL32.DLL library
MS Office: creates Excel "virus dropper" file
The virus itself it Win32 PE EXE program and is able to perform all its functions only being run under Win32 environment. Other infected components are "virus droppers". That means that the virus cannot spread directly from infected file, but uses a trick to drop its Win32 copy from it. When an infected DOS file is run, or affected Excel sheet is opened, the attached virus routine creates the C:\DEMIURG.EXE file, extracts Win32 virus code to there and spawns that file. The main virus routine gets control then.
The virus is memory resident under Win32. The affected KERNEL32.DLL hooks file access functions (file opening, copying, moving, accessing file attributes) and infects COM, EXE and PE EXE files that are affected.
While infecting a file the virus writes itself to the end of the file. In case of DOS COM, EXE and BAT files the virus converts them to "droppers". In case of Win32 PE files the virus infects them with its main code, and the virus is able to spread directly from infected file without creating additional files.
To infect Win32 KERNEL32.DLL module the virus uses a trick. That file is permanently used by Windows, and is locked for writing as a result. While infecting the virus copies that file from system Windows directory (where that file is placed by default) to Windows root directory and infects that copy, for example:
C:\WINDOWS\SYSTEM\KERNEL32.DLL - original file in system directory
C:\WINDOWS\KERNEL32.DLL - infected copy in Windows root directory
When Windows is restarted, it looks for KERNEL32.DLL library first in root Windows directory, then in system directory, and it gets infected library instead of original (clean) one.
To affect MS Excel the virus creates its complete image (in text format) in C:\DEMIURG.SYS file, then gets its location from system registry and creates the DEMIURG.XLS file in there. This XLS file contains a short macro subroutine in there that will complete the job. On next start MS Excel will automatically accept that file and ctivate "Auto_Open" subroutine in there. That subroutine will get complete virus code from the C:\DEMIURG.SYS file, convert it to binary PE EXE C:\DEMIURG.EXE file and spawn it. The main virus code gets control as a result.
While affecting MS Excel the virus also disables VirusProtection Excel option.
The virus doesn't manifest itself in any way. It contains the "copyright" text string:
[The Demiurg] - a Win32 virus by Black Jack
written in Austria in the year 2000
Copyright @2006 demig.1635