Virus

W95/Dupator.1503

Analysis

  • Virus is 32bit and targets Windows 95/98/Me platform .EXE files
  • When run, virus will copy existing “KERNEL32.DLL” from Windows\System folder and writes an infectious file “KERNEL32.DLL” into the Windows folder – the virus code is appended to this file
  • When Windows is restarted, EXE files executed or accessed will become infected due to the infectious KERNEL32.DLL file being loaded into memory
  • Virus contains the string “@DUPATOR!” in its code after the PE section headers