em.130
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Em.1303
These are dangerous non-memory resident encrypted parasitic viruses. While executing an infected EXE file, the virus opens the C:\AUTOEXEC.BAT file, reads the file contents, searches for the line which begins with "path" or "PATH" strings, and inserts the line "em" as the next line:
all
PATH= ...
em
...
Then the virus creates a C:\EM.COM file, and writes the encrypted virus body (1303 bytes) there, so the virus creates its COM dropper. Then the virus returns control to host EXE file.
While executing the virus dropper EM.COM (when "infected" AUTOEXEC.BAT receives the control), the virus searches for all .EXE files on the C: drive, and writes itself at the files' end.
On the 28th of any month, the virus summons the trigger routine, which scans the disk for all directory objects (files, subdirectories and volume labels) by using the absolute disk read/write functions INT 25h/26h, and replaces the first letter of the objects name with a SPACE character (20h); after such a correction, DOS cannot access these files/subdirectories.
The virus contains the following internal text strings:
path
PATH
em.com c:\ autoexec.bat c:\*.* *.exe
Copyright @2006 em.130