W95.Sleepyhead.5632


Aliases: W32.Sleepyhead
Variants: W95.Sleepyhead

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 21 Oct 2002
Damage: Low

Characteristics: The W95/Sleepyhead.5632 virus infects Portable Executable files or PE files under Windows 95, Windows 98, or Windows Me. It could corrupt PE files with data that is appended outside of the .exe image.

More details about W95.Sleepyhead.5632

When W95/Sleepyhead.5632an is executed, it searches the memory for Kernel32.dll functions. It then loads WSock32.dll and User32.dll libraries and looks for functions in them. Afterwards, the virus looks through any folders and subfolders on mapped drives and the hard drives, beginning at the root. The virus appends itself at the end of the host file image. It infects only those portable executable files with .exe file extension and files that are not yet infected by the same virus. The infected file can grow in size by about 5,632 Bytes and their date and time stamp as well change at the time it was infected.

W95/Sleepyhead.5632 doesn’t display messages or make any malicious side-effects. This virus searches for all mapped drives in a separate search thread and begins searching for files to be infected by it. The virus infects files gradually and is almost not noticed. When new file is infected by it, it takes time to wait for 15 seconds before trying to infect another one. When the file is infected, It marks a Byte in the header so that it doesn’t re-infect them later.