Other Definitions
simile (enc)
simile (dict)
|
Win32/simileWin32/Simile is the latest product of the developments in metamorphic virus code. The virus was released in the most recent 29A #6 issue in early March 2002. It was written by the virus writer who calls himself The Mental Driller. Some of his previous viruses, such as Win95/Drill (which used the Tuareg polymorphic engine), have proved very challenging to detect. When the virus is first executed, it checks the current date. If the host file (the file that is infected with the virus) imports the Windows file User32.dll, then on the 17th of March, June, September, or December, a message is displayed. Depending on the version of the virus the case of the text is altered randomly. On May 14th, a message saying "Free Palestine!" will be displayed if the system locale is set to Hebrew. The virus then rebuilds itself. This process is very advanced, and is capable of both shrinking and expanding its code. This avoids the uncontrolled growth that is common for other metamorphic viruses. After the rebuild is complete, the virus searches for .exe files in the current folder, then in folders on all fixed and remote drives that exist when the virus is executed. Files will not be infected if they are located in a subfolder more than three levels deep, or if the folder name begins with the letter W. For each file that is found, there is a 50 percent chance that it will be ignored. Files will not be infected if they begin with the following: or if the letter V appears anywhere in the file name. Due to the way in which the name matching is done, file names that contain certain other characters - for example, those that begin with "FM" or contain the number 6 are also not infected. The virus contains many other checks to avoid infecting "goat" files (files that are commonly used to capture viruses). The infection process uses the structure of the host, as well as random factors, to control the placement of the virus body and the decryptor.
|
 |