PE_SPACES.1245, Virus.Win9x.Spaces.1245, Virus:Win95/Spaces.1245, W32/Busm.1245
W32/Spaces.1245, W95/Spaces.1245, W95/Spaces.1245, Win95.Spaces.1245
Category: Computer Virus
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
28 Dec 1999
The W95/Spaces program is a dangerous virus that manipulates the Master Boot Record of an AT hard drive by making use of port commands on June 1 of every year. It modifies the Master Boot Record data area with the intention that the first partition points to itself. This will prevent the system from booting, when running MS-DOS versions, which contain a bug and are not able to boot the system appropriately.
W95.Spaces Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W95.Spaces from your computer.
More details about W95.Spaces
The virus has two variants that append either 1,245 or 1,633 bytes to the end section of the Portable Executable files. The Portable Executable header's entry points to the beginning of the virus at the last section. The characteristics of the last section is changed to a writeable file and the PE header's Reserved1 field contains 2 spaces. Hence the name of the virus. Once virus is run, it checks for active copy of itself in memory by finding VxDcallIFSMgr_Get_Version in the AX register. As a result, the AX is 0xDEAD once the virus is active in the memory. In such cases, it checks the time and calls its pay load routine on June 1 every year, and corrupts AT hard disk.
When W95.Spaces does not detect itself in the memory, it allots memory for itself and hooks your file system to itself. Because of this, it can now infect all the files that are accessed with executable file name extension. Because VxD calls are patched on the fly by Windows 9x based computers, the virus fixes a copy of itself for those places prior to writing itself to the file.