PE_PADANIA

 Analysis by: Mark Joseph Manahan

 ALIASES:

Virus:Win95/Padania.1335 (Microsoft), W95/Padania (McAfee), Virus.Win9x.Padania.1335 (Kaspersky)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

EXE

Initial Samples Received Date:

27 Apr 1999

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

File Infection

This file infector infects the following file types:

  • .exe

NOTES:

When executed, this virus stores its codes in the Ring 0 Windows memory area to load itself in memory. It alters the PE file header so that the virus codes are accessed every time an infected file is executed.

If the target file contains a PE section with the name .reloc, it overwrites the section with its codes and deletes relocation information in the PE header. Otherwise, it adds the section, Padania, to store its virus codes.