Win95:Inca

The Inca virus has been found in the wild during September 1998. It is able to infect Windows 95/98 systems, users of Windows NT are safe.

Recognition:
There is a new file FONO98.VXD in the directory WINDOWS\SYSTEM. The SYSTEM.INI file has a new line device=FONO98.VXD added in section [386Enh] . Slow computers could report the missing file C:\W95INCA.COM. Also, there may be some problems encountered with the access to the floppy drive(s).

Targets of infection:
Inca virus is able to add its dropper into archive files of  LHA, LZH, PAK, ARJ, ZIP and RAR type. The dropper is polymorphic, it is about 17KB long and is named as COM or EXE file with random four-letter name compiled from letters A-P. File FONO98.VXD means that virus is active on your computer. It also infects the Windows 95/98 EXE and SCR files (PE files) and boot sectors of floppy disks.

How Infection works:
Virus can be activated from BOOT sector, COM dropper or infected EXE file. In all cases, it at first creates the file 
FONO98.VXD in the SYSTEM directory, modifies the SYSTEM.INI file and tries to delete the file HSFLOP.PDR from directory SYSTEM\IOSUBSYS (in order to get BIOS access to floppy disks). After next reboot the virus becomes resident and active and it infects all mentioned files and archives. If the virus detects the execution of the MIRC32.EXE program, it drops the SCRIPT.INI file, which contains the commands to spread the virus via DCC protocol. Virus is also able to send out the program REVENGE.COM, which is able to manipulate the CMOS memory on the computers with AWARD BIOS.

Removing:
You can remove the virus by deleting the FONO98.VXD file, removing the line from SYSTEM.INI file and deleting all infected files on the computer. MIRC users should also check their SCRIPT.INI file.