Aliases: Win95.Paddi, W95/Paddix, Win95.Paddix.47952, W95/Paddix-A, Win95/Dyov.A
Variants: PE_PADDI.A, W32/Paddi, Win95.Paddi.A, W32/Paddi.A, Win95/Paddi.A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 04 Nov 2002
Damage: Low

Characteristics: The W95.Paddi virus is a direct infecting virus that contaminates under Windows Me/98/95.

More details about W95.Paddi

The W95.Paddi is a virus that has a lot of forms. This signifies that the virus has code, and every time that it contaminates a new file, it will re-code itself making use of a new key. The method of encryption will always be the same. When the virus is opened, it will code itself in the memory. Once the viral part is decoded, it begins its malicious acts. The virus will look for a certain space in “Kernel32.dll” in the memory. The “Kernel32.dll” memory address is hard coded in virus. The address is appropriate for all Windows Me/98/95 systems, but not for Windows XP/2000/NT. This is one of the main reasons it will not affect under Windows XP/2000/NT.

The virus imports a few functions from “Kernel32.dll” and stores the addresses to these purposes so that it could utilize them later. The virus next tries to attach the file “Paddingx.txt” in the folder of “C:\Windows\System”. If it doesn’t succeed to attach this file on the computer system, the virus will get the infection routine. This file has the code of the virus. The virus also has a routine that shows a message on the monitor and then goes in an infinite loop. However, this routine of the virus has to be manually removed of the .txt file before it could be opened.