Win32.Epstein-Barr.6144
        ~~~~~~~~~~~~~~~~~~~~~~~


When an infected file is executed the first time in an uninfected system, the
asm portion of the virus gets control first and drops the virus main EXE file
to the windows system directory, executes it and returns control to the host
immedeately. The main virus executable then checks if it is running under 9x
or NT so it can use the accurate process enumeration APIs (Toolhelp32 in Win9x
and PSAPI in WinNT). If running under 9x it also uses RegisterServiceProcess
to make itself invisible in the task list. Then it adds a key to the registry
so that it is executed at each windows startup, so it can stay resident as a
background process all the time windows is running on an infected machine.
After that, it goes into an infinite loop where it enumerates all running
processes constantly, and infects PE EXE files when they quit. The infection
process is standart last section increasing, first the assembler portion is
appended and the entrypoint set to it, then the whole main executable, so it
can be easily dropped again when the infected file is executed. So the virus
is a true appender, no stupid HLL prepender, even though its biggest part is
written in C++ with only a small assembler loader.