This 5124 bytes virus (aka Hanta) is a Windows95/98 infector that installs itself into the Windows kernel, hooks system events and then affects Portable Executable (PE) files that are accessed. The virus was named after its "copyright" string that is visible in decrypted virus code:
< Hantavirus Pulmonary Syndrome (HPS) Virus BioCoded by GriYo / 29A >
While infecting a file the virus increases size of last section, encrypts its code by polymorphic engine, writes encrypted result to the end of file into the last section and modifies the address of entry point. The size of polymorphic decryption loop is variable, as a result size of infected files grows by variable values.
The virus is slow polymorphic, that means the polymorphic decryption loop code is not changed each time the virus infects a file. Moreover, the same infected file will produce the same polymorphic code while infecting next files, and all files that are infected before rebooting will have the same decryption routine. Only next "generation" of the virus will produce polymorphic loop that differs with "parent" copy of the virus.
When an infected file is executed, the polymorphic decryption routine takes control, restores virus code in original form and jumps to installation routine. The virus then scans Windows kernel code to locate KERNEL32.DLL image, looks for export table in there and gets VxDCall routine address from there. The virus then uses this address to call disk access and other routines in case of need.
The virus then installs itself into the Windows kernel: allocates a block of memory by using undocumented Win32 VxD services provided by VMM (PageReserve and PageCommit), copies itself to there, scans the VxDCall handler in KERNEL32 code and patches it with address of its own handler. As a result the virus installs itself into the shared memory area and hooks VxDCall.
To prevent General Protection while scanning Windows memory for KERNEL32.DLL image (that can appear when the virus accesses a part of memory that is not available for applications) the virus protects itself by Structured Exception Handling (SEH). This also does its work as a anti-debugging trick.
The virus detects its already installed copy by a Are-You-Here? call by GetDate VxDCall with registers ESI='HPS!' and EDI='TSR?', the installed copy returns 'YES!' in ESI register.
The virus VxDCall handler monitors VWIN32_Int21Dispatch calls only and passes through any other calls. There are nine functions intercepted: GetDate, Open ReadOnly, Open WriteOnly, FindFirst/Next with LongNames, Rename with LongName, Create/Open with LongName. On file access calls (open, rename) the virus compares the file name extension with EXE, SRC and SYS and infects them, if they are not infected yet. After infecting a file the virus deletes the anti-virus data files ANTI-VIR.DAT, CHKLIST.MS, AVP.CRC, IVB.NTZ, if they exist.
On FindFirst/Next calls the virus "decreases" length of infected files. This is virus stealth ability: increasing length on infecting is not visible by Windows utilities. However the virus does not intercepts old-style DOS FindFirst/Next calls and new length of infected file is visible by good-old DOS tool including DOS command DIR.
The virus has a video trigger routine. When the virus installs itself into Windows memory, it gets the system date. If it is installing on Saturday, it then will affect any not compressed BMP files - the virus flips contents of BMP image and they will be displayed from right to left. The virus marks flipped images with DEADBABEh stamp and does not flip them twice back to original state.