PE_LUNA

Malware type: File Infector

Aliases: Virus.Win9x.Luna.2757.b (Kaspersky), W95/Luna.gen (McAfee), W95.Luna.2757.B (Symantec), W95/Luna-2757.A (Avira), W95/Luna-A (Sophos), Virus:Win95/Luna_2724.B (Microsoft)

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: Yes

Overall risk rating:

Description: 
This polymorphic, memory-resident, Windows virus infects all Windows executable files that the infected user opens or executes. It appends its virus code at the last section of its target files. It thus increases the file size of its infected files.

For additional information about this threat, see:

Description created: Nov. 6, 2000 12:16:47 PM GMT -0800
Description updated: Mar. 19, 2002 5:46:13 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 2, 293 ~ 2,595 Bytes

Initial samples received on: Dec 20, 1999

Payload 1: (It toggles the character case formatting of .TXT files opened)

Details:
This PE virus infects the KERNEL32.DLL file to sets itself in memory. The infected KERNEL32.DLL then contains the virus signature, Luna.

This virus intercepts function calls to CreateFileA so that it infects all files that the infected user opens or executes. It appends its virus code at the last section of its target files and then modify the header of the infected file to point to its virus code. It does not infect the following antivirus software:

  • AV*.*
  • DR*.*
  • F-*.*
  • AN*.*
  • CE*.*
  • PI*.*
  • TB*.*

The following text strings are found in the decrypted infected files:

�Win9x.Luna Coded by Bumblebee�
�Luna�

On the system date 15th of odd months (January, March, May, July, September, November), this virus toggles the cases of characters of opened files with .TXT extensions. It converts the lowercases to uppercases and the uppercases to lowercases.