Virus.Win9x.Prizm.4428 is a very dangerous memory resident parasitic polymorphic virus on Microsoft Windows.
The virus infects Win32 PE EXE files with and also DLL files. The virus resident copy infects files that are accessed by Windows (opened or run). When run from an infected file, the virus also looks for applications that are run, obtains their file names, and tries to infect them as well.
While infecting, the virus writes itself to the end of a file, and modifies the entry point routine address and necessary PE header fields. The virus also writes a string to a field in the PE header for identity:
To stay memory resident, the virus switches to Windows kernel mode (Ring3->Ring0), allocates a block of system memory, and copies itself there. The virus then hooks a DOS interrupt INT 21h chain, IFS API calls and system broadcast messages.
An INT 21h hook is used by the virus only for the "Are you here?" call to detect its already active memory resident copy, and to avoid double installation. An IFS hook routine intercepts file-opening system calls, and infects Win32 EXE and DLL files that are being opened.
The broadcast-message hooker detects whether a CD drive gets a new disk. In this case, the virus tries to perform a "write data" command to an inserted disk. It seems the virus intends to destroy disks on CD-writers, but this routine seems to have a bug, and CD disks should not be destroyed.
On the 1st, 11th, 13th, and 26th of each month upon each infected program run, the virus erases a randomly selected sector on each logical drive (overwrites it with virus code), and displays a Blue Screen of Death message:
Virus Win9x.Chazhma(Chernobil2) Made by SpAmC0der->[PRiZM]->Vladivostok->Russia Battle of life. Capital!!! to be continued... Win32.Kursk2000 Press any key to continue