|Date||June 30th, 1995|
Spaces is a memory resident parasitic virus. When a program infected with Spaces is executed, it infects all Win32 executable files (PE EXE - Portable Executable) that are opened while Spaces is present in memory. The virus infects files by writing itself to the end of the file into the last file section, increasing its size.
When an infected file is run on June 1st, the computer bluescreens. pressing a key to continue will give the user control of the computer again, but every infected file that is run produces a BSOD. Upon reboot after the payload has activated, the machine will appear to halt while loading. This is because the virus rewrote the partition table to include only one partition that loads the MBR, and the MBR will load the partition table. As a result, the computer goes into an infinite loop, and although no data on the disk is destroyed, it is not accessible. Even if a DOS floppy is inserted to boot from, the computer will still get stuck in an infinite loop trying to find the end of the partition table. (The AVP package is distributed with DOS floppy disk that does not have this problem: it loads DOS with no side effects, brings the DOS prompt line, and disk then can be recovered with any disk editing utility)
While rewriting the MBR sector the virus overwrites it by direct writing to the hard drive controller's ports and bypasses BIOS anti-virus protection. This routine has a bug and in some cases (depending on the system configuration) the virus causes the "General Protection Fault" error message, and this saves the MBR.
The virus was named "Spaces" because it uses two spaces to detect its copy in the Windows memory (these spaces are returned by an "are-you-here?" virus function). By two spaces the virus also separates infected and uninfected files - the virus writes them to the PE header to the reserved field.
The virus can be manually detected by the text string that presents at the end in infected files:
The virus installation procedure and some other routines are similar to the CIH virus. The virus installs itself to the Windows kernel as a VxD driver: it jumps from the application Ring3 level to the system kernel Ring0 by patching the protected mode Interrupt Description Table, then allocates a block of system (VxD) memory, copies its code to there, intercepts the IFS API Windows calls, returns back to the Ring3 level and jumps to the host program's code. These routines are very similar to to how the CIH virus installs itself onto a machine.
To detect its copy in the Windows memory the virus also hooks the IFSMgr_Get_Version Windows VxD function. The virus detects its copy by this call with AX=2020h (two spaces), and the "resident" virus copy returns DEADh in the AX register.