User:DrSwitched/Win95/Drill

Win95/Drill is a polymorphic computer virus written by the virus writer Mental Driller in assembly language; although it is not clear exactly when it was released, it became of notice to anti-virus companies at the end of 2000. The virus uses the Tuareg engine to handle its polymorphic functionality, and in combination with its anti-emulation and anti-heuristic features, it proved extremely difficult to detect. The virus runs in user mode and uses the Win32 API, however it only works under Windows 9x systems. The virus infects portable executable files.

Initialisation
The first task of the virus is to decrypt itself, which involves decrypting two layers of polymorphic code via two separate decryption modules. The first decryption module is placed in the original code section of the application, whereas the second is in the last section at the start of the virus body.

After both decryption modules have been executed, the virus retrieves the addresses of the KERNEL32.DLL functionality it will need later on. This routine is protected with structured exception handling - if an exception occurs, the host application is executed as normal.

If initalisation is successful, the infection routine is called.

Infection
Note: The same infection routine is used for Windows and Windows System directories.

Drill traverses the directories mentioned above as part of its infection routine, however the infection algorithm it employs is random - some files are skipped without any infection attempt being made. However, in some cases the infection routine is implemented, and this involves the following steps:


 * 1) The virus checks the name of the candidate file; this is largely related to its anti-detection functionality.
 * 2) If the candidate file is a known anti-virus file (sometimes referred to as 'bait' files), it will not be infected.
 * 3) The virus then checks that the candidate files does not start with any of the following sequences:
 * ‘tb’
 * ‘cs’
 * ‘f-’
 * ‘pa’
 * ‘dr’
 * ‘no’
 * And that it does not contain the letter 'v'.