Aliases: Win95.K32.3030, Win95/Hazlo
Variants: W95/K32.3030

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 13 Feb 2007
Damage: Low

Characteristics: The W95.K32 program is a memory inhabitant virus that infects Windows .exe. The virus is not negative but do have a payload.

More details about W95.K32

When the recent date is February 19 and a contaminated file is launched, it will show a massage box with the title “nIgr0_lives_here!!!!” and the following note: Virus K32 por nIgr0 ... "Hazlo o no lo hagas pero no lo intentes". This virus utilizes Windows functions that are transferred from KERNEL32.DLL. It looks for the subsequent functions in the memory: Create File, Set File Pointer, Read File, Write File, Close Handle, Create ProcessA, Get Module HandleA, Get Proc Address. Then, it launches Create ProcessA so that it will infect .exe files. This virus copies itself into the replica of KERNEL32.DLL in memory. Throughout infection, this virus appends itself to the last part of the executed file. The amount of contaminated files will enlarge by 3,030 bytes.

To remove this virus and to repair a contaminated system, reset the compromised computer, and boot to an uncontaminated boot floppy. Then, execute Norton Anti Virus to repair and detect contaminated files. The infection length is 3,030 bytes. For the threat assessment the wild level is low. The number of infection ranges from 0 to 49. The number of sites affected ranges from 0 to 2. The threat is classified as easy to contain. February 19 is the Payload Trigger of the virus. The main target of this virus for infection is Windows PE executable files. The virus has 3 different aliases.