W32/Cabanas_Family
Analysis
- Virus is 32bit and contains anti-debugging techniques
in order to hinder analysis by some common methods
- Virus runs memory resident and injects its code
into files only if their file size is not equally
divisible by 101 – if it is divisible with no
remainder, the file is assumed by the virus to already
be infected
- Virus infects EXE and SCR files in the Windows
folder initially and later infects files elsewhere
on the hard drive
- Virus contains the string “Win32.Cabanas”
in its code