Virus Database

Em.1303

Description Em.1303

It is a dangerous not memory resident encrypted parasitic virus. While execution of infected EXE-file the virus opens the C:AUTOEXEC.BAT file, reads the file contents, searches for the line which begins with "path" or "PATH" strings, and inserts the line "em" as the next line:
all
PATH= ...
em
...

Then the virus creates the C:EM.COM file and writes the encrypted virus body (1303 bytes) into there, so the virus creates its COM-dropper. Then the virus returns the control to the host EXE-file.
During execution of the virus dropper EM.COM (when "infected" AUTOEXEC.BAT receives the control) the virus searches for all .EXE-files on C: drive and writes itself to the files end.
On 28th of any month the virus calls the trigger routine. That routine scans the disk for all directory objects (files, subdirectories and volume labels) by using absolute disk read/write functions INT 25h/26h, and replaces the first letter of the objects name with SPACE character (20h), after such correction DOS cannot access these files/subdirectories.
The virus contains the internal text strings:
path
PATH
em.com c: autoexec.bat c:*.* *.exe

Check other viruses! Be aware! Use Antiviral Software

Lilo.1573

Description Lilo.1573

This is a relatively harmless memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. On the 13th of any month, the virus, depending on the system time, displays messages (see below), and either returns to DOS or reboots the computer.
The virus also contains the following texts:
LI_LO.1573 virus v.0 (test) by P&C
COMMAND.COM.EXE

The messages are:
Divide error
Program too big to fit in memory
+------------------------------------------------------------------+
| If you want to be more SEXY, you must drink a lot of Pepsi ! |
| |
| XXXX XXXX |
| XXXX XXXX --+-- +-- |
| XXXX XXXX | +--+ +- |
| XXXX XXXX | | | +-- |
| XXXXXXX XXXX | |
| XXXXXXX XXXX |
| +--+ +-- +-- -+-- |
| Greetings to +--+ +- +-+ | |
| Marek Sell +--+ +-- --+ | |
| and |
| everybody, who can XXXX XXXXX |
| read this text XXXX XXXX XXXX |
| XXXX XXXX XXXX |
| from PiCSof XXXXXXXX XXXX XXXX |
| XXXXXXXX XX XXXXX XX |
| |
| |
+-------------------------------------------------COPYRIGHT 1996---+

Linc Family

Description Linc Family

These are harmless memory resident parasitic viruses. "Linc.228,318" are encrypted viruses.
They use different ways to install itself into the system memory. "Linc.196,228" copy themselves to the Interrupt Vectors Table, "Linc.307" allocates the memory by using DOS functions and patches the MCB fields, "Linc.318" stays memory resident by using Keep call (INT 27h).
Then they hook INT 21h and infect COM files that are executed. "Linc.196,228,307" write themselves to the end, and "Linc.318" writes itself to the beginning of the file.
The viruses contain the text strings:
"Linc.196": Winter
"Linc.228": Autumn
"Linc.307": 'The Waxwork Crew' proudly release their first virus 'aardvark'
"Linc.318": [Sleeping]

Home