This PE virus infects the KERNEL32.DLL file to sets itself in memory. The infected KERNEL32.DLL then contains the virus signature, Luna.
This virus intercepts function calls to CreateFileA so that it infects all files that the infected user opens or executes. It appends its virus code at the last section of its target files and then modify the header of the infected file to point to its virus code. It does not infect the following antivirus software:
The following text strings are found in the decrypted infected files:
�Win9x.Luna Coded by Bumblebee�
On the system date 15th of odd months (January, March, May, July, September, November), this virus toggles the cases of characters of opened files with .TXT extensions. It converts the lowercases to uppercases and the uppercases to lowercases.