Oporto is a per-process memory resident Windows virus. It infects Windows executable files only (PE EXE). While infecting, the virus increases the size of last file section, writes its code to there and modifies necessary fields in the PE header. To gain control when an infected file is executed, the virus writes a short "Jump-Virus" routine to the program's start-up routine. The virus does not modify the "program entry point" address.
When an infected file is executed, the virus searches for PE EXE files in the current directory, then in the Windows or Windows system directory, and infects them. The virus then hooks fifteen Windows file-access functions (file searching, opening, etc.), stays in the Windows memory as a part of the host-file code, and when hooked functions are executed, the virus searches for PE EXE files on a disk and infects them.
The virus is able to hook the Windows functions only in case where the host program uses them (imports them from a Windows kernel). The "life-time" of a resident-virus copy depends on the host program run: when it is terminated, the resident virus code is terminated too.
The virus deletes the anti-virus data file ANTI-VIR.DAT. On September 24th, the virus displays the following MessageBox and halts the system:
TOTILIX Presents... This >TOTILIX< Virus was assembled at the city of Oporto Portugal! email@example.com (c) 1999 G@SP@R aka Sexus