Russian software vendor DialogNauka (http://wwwdials.ru, http://wwwDialogNauka.ru), a leader in antiviral protection, sounds an alarm on the new hazardous virus. The species, dubbed Win95.SK.7977, was discovered last week by the company's chief expert Igor Danilov, the author of Doctor Web antiviral scanner. The unusual feature of this virus is its ability to freely spread itself in Windows HLP files. On top of that, it propagates by Windows 95/98 executable files and by archives in HA, RAR, ARJ and ZIP formats.

The virus is extremely dangerous, since it wipes out all files at all logical disks of the computer as soon as the user tries to run some of the most popular antiviral programs. Antivirus presence is determined by the first letters of their names, including their most probable modifications. This takes place for Doctor Web, too, unless its program file drweb.exe has been renamed in advance by the cautious user.

The company says Doctor Web to be the only tool which reliably detects the above virus. None of the other antiviral scanners can see it by now. This is due to a very unusual way of infection implemented in the virus. It does not modify the beginning of the program code; instead, it nests in the middle of the file in one of internal program functions which is likely to be executed under some circumstances. The virus scans the entire code for such functions and chooses one of them in an arbitrary way.

Once the infected program is launched, the viral code may never be executed until its host function is called by the program itself. It may be lurking in the file for years, waiting for the program or the user to perform a certain action. (E.g., press F1 button.) Then the control is delivered to the function which is actually replaced by the viral code.

DialogNauka officials say that Win95.SK.7977 virus is effectively detected by Doctor Web, beginning with version 4.04. On top of that, the user should rename Doctor Web executable file in some non-obvious way. This will prevent the vandalistic reaction of the virus to Doctor Web launch.

The trial version of DrWeb for Win32 v4.04 beta may be downloaded free of charge from the following FTP servers: ftp://ftp.DialogNauka.ru/dsav/russian/drweb32w.zip ftp://ftp2.DialogNauka.ru/dsav/russian/drweb32w.zip ftp://ftp3.DialogNauka.ru/dsav/russian/drweb32w.zip ftp://ftp.freeware.ru/pub/mycomputer/antivirus/drweb32w.zip .

Source: InfoArt News Agency

---