Virus.Win9x.Prizm.4428 or Prizm is a virus that runs on Microsoft Win9x.
Prizm is a very dangerous memory resident parasitic polymorphic Win9x virus. It infects PE .EXE files (Windows executable files) with .EXE and .DLL filename extensions. The virus resident copy infects files that are accessed by Windows (opened or run). When run from an infected file, the virus also looks for applications that are run, obtains their file names, and tries to infect them as well.
While infecting, the virus writes itself to the end of a file, and modifies the entry point routine address and necessary PE header fields. The virus also writes an "SpAm" ID-string to a field in the PE header.
To stay memory resident, the virus switches to Windows kernel mode (Ring3->Ring0), allocates a block of system memory, and copies itself there. The virus then hooks a DOS interrupt INT 21h chain, IFS API calls and system broadcast messages.
An INT 21h hook is used by the virus only for the "Are you here?" call to detect its already active memory resident copy, and to avoid double installation. An IFS hook routine intercepts file-opening system calls, and infects Win32 EXE and DLL files that are being opened.
The broadcast-message hooker detects whether a CD drive gets a new disk. In this case, the virus tries to perform a "write data" command to an inserted disk. It seems the virus intends to destroy disks on CD-writers, but this routine seems to have a bug, and CD disks should not be destroyed.
On the 1st, 11th, 13th, and 26th of each month upon each infected program run, the virus erases a randomly selected sector on each logical drive (overwrites it with virus code), and displays a Blue Screen of Death message:
Made by SpAmC0der->[PRiZM]->Vladivostok->Russia
Battle of life. Capital!!!
to be continued... Win32.Kursk2000