NImp is a overwriting virus written in C++. The name NImp stands for "No import

1. NImp is a overwriting virus written in C++. The name NImp stands for "No import table", because it's executable has no import table. The virus resolves all need functions by hashes.
2.  
3.  
4.  
5. The virus will search for files in user profile. If the file is executable file, the virus will infect by overwriting the file with the virus. Otherwise, the virus will overwrite the file with a string.
6.  
7.  
8.  
9. How the virus works
10.  
11.  
12.  
13. 1) The virus get the address of PEB.
14.  
15.  
16.  
17. 2) The virus read the loader data from PEB to get the base address of kernel32 and ntdll.
18.  
19.  
20.  
21. 3) The virus resolves all needed functions by hashes.
22.  
23.  
24.  
25. 4) The virus search for files in user profile.
26.  
27.  
28.  
29. 5) If the file is executable file, the virus will infect it by overwriting the file with the virus. Otherwise, the virus will overwrite the file with a string.
30.  
31.  
32.  
33. 6) After searching all files, the virus calls RtlAdjustPrivilege to enable SeShutdownPrivilege, and then calls NtRaiseHardError to crash the operating system.