Aliases: PE_SPACES.1245, Virus.Win9x.Spaces.1245, Virus:Win95/Spaces.1245, W32/Busm.1245
Variants: W32/Spaces.1245, W95/Spaces.1245, W95/Spaces.1245, Win95.Spaces.1245

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Dec 1999
Damage: High

Characteristics: The W95/Spaces program is a dangerous virus that manipulates the Master Boot Record of an AT hard drive by making use of port commands on June 1 of every year. It modifies the Master Boot Record data area with the intention that the first partition points to itself. This will prevent the system from booting, when running MS-DOS versions, which contain a bug and are not able to boot the system appropriately.

More details about W95.Spaces

The virus has two variants that append either 1,245 or 1,633 bytes to the end section of the Portable Executable files. The Portable Executable header's entry points to the beginning of the virus at the last section. The characteristics of the last section is changed to a writeable file and the PE header's Reserved1 field contains 2 spaces. Hence the name of the virus. Once virus is run, it checks for active copy of itself in memory by finding VxDcallIFSMgr_Get_Version in the AX register. As a result, the AX is 0xDEAD once the virus is active in the memory. In such cases, it checks the time and calls its pay load routine on June 1 every year, and corrupts AT hard disk.

When W95.Spaces does not detect itself in the memory, it allots memory for itself and hooks your file system to itself. Because of this, it can now infect all the files that are accessed with executable file name extension. Because VxD calls are patched on the fly by Windows 9x based computers, the virus fixes a copy of itself for those places prior to writing itself to the file.