|  | ||||||||||||||||||||||||||||||||
Name: Win32.Maya
Aliases: Maya Variants: Type: File Platforms: Windows Status: not known to be in the wild Threat: low Virus Characteristics Win32.Maya replicates under Win32 and infects Windows executable files (PE EXE files). When an infected program is executed, the virus takes control, searches for EXE files in current and Windows directories and infects them. While infecting the virus appends itself to the end of last file section and increases its size. The virus is "per-process resident": after infecting files in disk directories, the virus hooks several file access Windows functions and infects PE EXE files that are accessed. These hooks are valid only during the infected program activation period. When the host process is terminated, the virus copy is also terminated, but in case of "long-life" applications such as editors or Internet browsers the virus can stay in the system memory for the long time. To get access to Windows functions the virus scans KERNEL32 export table, gets the GetProcAddress function address and then by using this value gets addresses of necessary functions: KERNEL32.DLL: GetModuleHandleA GetProcAddress CreateFileA WriteFile GetFileSize CreateFileMappingA MapViewOfFile UnmapViewOfFile CloseHandle FindFirstFileA FindNextFileA FindClose SetFilePointer SetEndOfFile GetCurrentDirectoryA SetCurrentDirectoryA GetFileAttributesA SetFileAttributesA GetSystemTime GetWindowsDirectoryA USER32.DLL and ADVAPI32.DLL: RegOpenKeyExA RegSetValueExA MessageBoxA SystemParametersInfoA The "per-process resident" code of the virus scans current (host) process imports table and hooks following Windows file access functions, if the process imports them: MoveFileA CopyFileA CreateFileA DeleteFileA SetFileAttributesA GetFileAttributesA GetFullPathNameA CreateProcessA Payload Before returning control to the host program the virus checks the system date and on the first day of any month, the wallpaper is filled with the "SLAM" text as below: The virus then displays the MessageBox: Virus Alert! Win32.Maya (c) 1998 The Shaitan [SLAM] Additional Details The virus also contains the text strings: To Aparna S. : Forever in love with you... AYAM IAHS Control Panel\Desktop TileWallpaper WallpaperStyle SLAM.BMP < - Virus Information Index - >
| | |||||||||||||||||||||||||
