Virus

W32/Cabanas_Family

Analysis

  • Virus is 32bit and contains anti-debugging techniques in order to hinder analysis by some common methods
  • Virus runs memory resident and injects its code into files only if their file size is not equally divisible by 101 – if it is divisible with no remainder, the file is assumed by the virus to already be infected
  • Virus infects EXE and SCR files in the Windows folder initially and later infects files elsewhere on the hard drive
  • Virus contains the string “Win32.Cabanas” in its code