E' senz'altro una notizia vecchia, ma io l'ho trovata solo oggi.
Virus name: Win95/Padania
Virus type: NewEXE
Known Variants: .1355
Infected objects: PE_EXE
Distribution: Less Likely
Region reported: Europe
Detection added: 1999-11-14
Disinfection added: 1999-11-14


This is a not dangerous memory resident Windows95 virus. It was reported as being widespreaded in several countries in the last months. Being a stable virus, it is expected to be unnoticed on most infected systems. The virus makes use of several undocumented tricks. It can infect a file using two different methods - if the infected file has a .reloc section, the virus will overwrite it, otherwise it will add a new section names "Padania" and write it's code there. The virus also has three different methods of gaining control: directly setting the entrypoint in the header on it's code, writing a short loader in the unused space of the exe header and linking a JMP instruction from the original code to the virus body.

Technical details:

When the virus code gets control, it will try to install it's own IFS routine. With this routine, the virus will get control every file operation is executed. When such call is made by IFSMgr, the virus will check it the request is a "file-open" one. If so, the virus will check if the extension of the opened file is ".EXE", will save the file's original attributes and re-set them to allow writing. Then, it will check if the file is a PE exe file (format used by native Win32 executables) and if it's already infected - if the user version from the PE header is set to "b0z0". The virus will check then if the file contains more than 17 sections (if the section information and the exe header will fit in 1Kb of data). At this point, the virus checks if the file has a .reloc section: if so, it will change the exe header and delete the fixups flag from the header. Usually, the .reloc section is used only if an application is loaded at the same address with another one. Such collision, only happens with DLL files, so the method will not cause any visible changes in the system. If the file does not have a .reloc section, the virus will add a new section named "Padania" and set its virtual address to point in the VMM address space (C0000000h). After writing its code and altering the file to execute the virus code, Padania restores the original file attributes and gives back the control to the previous IFS routine.

The virus also contains the "copyrigth" string "by -b0z0/iKX-" and the name string "Padania_Libera".

Other information
This is a such called "political" virus. The virus' author seems to be the adept of several groups that fight for the freedom of Padania, a region in the north of Italy.