esperanto.473
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Esperanto.4733
This is multiplatform parasitic virus. It infects DOS COM and EXE, Windows EXE (NE) and Windows32 EXE (PE) files. It also has a part of code that looks like a MDEF Macintosh resource and seems to be also a virus for Macintosh. I see no way for that virus to spread from Macintosh to PC, and from PC to Macintosh - being executed as DOS/Win application the virus pays no attention for Mac files. It seems that the same for infected Mac programs - the virus does not pay attention for DOS/Win files. I see the only way to spread that virus from Mac to PC and back - to copy and run it "manually".
When an infected file is executed under DOS, the virus hooks INT 21h and stays memory resident. When files are executed or accessed by FindFirst/Next DOS calls, the virus infects them. The virus also searches for COM and EXE files and infects them. Being executed as Windows or Windows32 application, the virus does not leave its TSR copy in the memory - it just searches for files and infects them.
While infecting the virus parses internal file format, separates DOS COM, EXE, NewEXE and Portable EXE files and infects them in different ways: writes itself to the end of DOS COM and EXE files and modifies file header, creates new section in Windows NE files, appends itself to the last section in Windows32 PE files.
Being executed as Windows32 application the virus also checks the system time and depending on it displays the MessageBox:
[Esperanto, by Mister Sandman/29A]
Never mind your culture / Ne gravas via kulturo,
Esperanto will go beyond it / Esperanto preterpasos gxin;
never mind the differences / ne gravas la diferencoj,
Esperanto will overcome them / Esperanto superos ilin.
Never mind your processor / Ne gravas via procesoro,
Esperanto will work in it / Esperanto funkcios sub gxi;
never mind your platform / Ne gravas via platformo,
Esperanto will infect it / Esperanto infektos gxin.
Now not only a human language, but also a virusall
Turning impossible into possible, Esperanto.
The virus also contains the text strings that are used while infecting Windows32 files:
KERNEL32.DLL USER32.DLL GetModuleHandleA GetProcAddress MessageBoxA
CreateFileA CreateFileMappingA MapViewOfFile UnmapViewOfFile CloseHandle
FindFirstFileA FindNextFileA FindClose LoadLibraryA GetLocalTime
Copyright @2006 esperanto.473