Virus Database

Email-Worm.Win32.Sober.y

Description Email-Worm.Win32.Sober.y
This worm spreads via the Internet as an attachment to infected messages. It sends itself to addresses harvested from the victim machine. The worm itself is a Windows PE EXE file written in Visual Basic and packed using UPX. The packed file is 55390 bytes in size and the unpacked file is 198750all

Check other viruses! Be aware! Use Antiviral Software

Dialogos.1522

Description Dialogos.1522

This is not dangerous nonmemory resident parasitic virus. They search for the files:
C:COMMAND.COM
C:DOSCOMMAND.COM
C:MSDOSCOMMAND.COM
C:DRDOSCOMMAND.COM
Then for *.COM files, then write themselves to the end of the file.
On June 10th they display the message and halt the computer:
1984-1994 10 Aniversario de DIALOGOS-3 de RNE.
Dedicado a Ramon por estos 10 anos, y por venir a la SALA-4.
Buscad la belleza es la unica protesta que merece la pena,
en este asqueroso mundo.
10/03/95 Valencia ESPANA

Diametric.3514

Description Diametric.3514

This is a dangerous memory resident parasitic polymorphic virus. It copies parts of its code to DOS kernel and XMS memory, hooks INT 21h, and writes itself to the end of EXE files that are executed, opened and while accessing file attributes. The virus has bugs and in some cases halts the computer.
The virus checks the file name and does not affect the files (anti-viruses) according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE

The virus deletes the anti-virus databases:
ANTI-VIR.DAT AVP.CRC CHKLIST.CPS CHKLIST.MS CHKLIST.TAV CRC.SVS FILES.VVL
FINGERP.VVF IM.PRM IVB.INI IVB.NTZ MSAV.CHK SMARTCHK.CPS AV.CRC BOOT.CPS
BOOT.MS BOOT.NTZ BOOT.TAV IV.INI PART.NTZ

The virus uses a quite complex means while installing its TSR copy. First, it allocates a block of XMS memory and copies its code to there. It then obtains the address of the System FCB Tables, decreases their total number and copies its "XMS manager" (94h bytes) to there. The virus also scans the DOS kernel for specific code of the INT 21h original handler and stores its address. Before returning control to the host program, the virus hooks INT 22h. When the host program is terminated, the virus patches the DOS kernel with a FAR JMP call to the virus' INT 21h handler.
The virus keeps its main code in XMS, so that the code is not available for executing and the virus cannot infect the files. To fix this, the virus "XMS manager" copies the main virus code to the video memory at the address BBF0:0100. If this code is not necessary (there is no file to infect), the virus erases it. As a result, there are only 94h bytes of virus code in the DOS memory, and this code is hidden in the DOS kernel.
The virus also contains the text strings:
TBDRVXXX
[DIAMETRIC by Rajaat / Genesis]
[RTFM]

On May 16th, depending on its random counter, the virus executes itself by a video effect - displays "DIAMETRIC" and moves the letters to "MATRICIDE".

Home