W32/Bika
Analysis
- Virus is 32bit and viral body is 1906 bytes
- When virus is run, it runs memory resident and
attempts to identify 32bit files – this is done
by examining files for the presence of “MZ”
as the first two bytes of files accessed on the infected
system – the virus then attempts to identify
if the target file contains a PE header, designated
as “PE” – one the file is determined
to be 32bit, it is then targeted by the virus
- Virus appends its code to target EXE files and
adjusts the file entry point to point to the infectious
code
- Virus locates the Windows folder and infects files
in that location first before infecting files in other
locations
- Virus may store the path and filenames of files
which reside on the target system as UNICODE within
infected files