Virus Database

Alicia

Description Alicia

It is a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files. While hooking INT 21h the virus patches the original INT 21h handler with the Jmp_Virus instruction. The virus then infects files that are found while searching for files in disk directories (DOS functions FindFirst/Next).
The virus also affects archives and adds to them its infected dropper - a dummy program infected by the virus. The name of dropper is selected randomly like listed below, all these names are real ones that were detected on replicating the virus on test PC:
HDBK.COM, HDNK.COM, HDDK.COM, HDOK.COM, HDPK.COM, KDHD.COM

The virus detects archive files by using filename extensions. The list of accessed extensions looks like follows: ZIP, ARJ, RAR, ACE, HA, ARC, PAK, LZH, LHA, ZOO. While infecting archives the virus parses their internal formats, creates new record and writes infected dropper to there. The virus supports eight archive formats: ZIP, ARJ, RAR, ACE, HA, PAK/ARC, LZH/LHA, ZOO (PAK/ARC and LZH/LHA use the same archive formats).
While testing virus in our lab we could not to infect PAK/ARC archives. We also could not extract infected droppers from LZH/LHA archives: the original archivers halted the system because of corrupted archive contents, the reason of corruption were bugs in the virus routines. Other archives were infected and droppers were extracted without any problem.
On May 24, or on executing and infected dropper the virus displays letter-by-letter the followed string, all letters are enlarged while displaying:
A l i c i a # Version Gamma 0 . 1 # by Star0 I K X In honor of B0z0 ikx

Check other viruses! Be aware! Use Antiviral Software

Bishop.2855

Description Bishop.2855

These are dangerous not memory resident overwriting polymorphic viruses. They search for .COM-files and overwrite them. These viruses use several levels of decryption, some parts of code and data are encrypted six or more times. These viruses use several anti-debugging tricks. They contain the internal text strings and sometimes display some of them: "Bishop.2855":
STOP HERE!
CULO
We are waiting for..
A mutant BISHOP in this program
21-3-93, milan-PARMA : 0-1.
*.COM
-BISHOP-

"Bishop.4517":
WHY DEBUGGER?
PARMA CAMPIONE !!!!!!!!
ANOTHER YEAR
A mutant ROOK in this program
*.COM
- UAH UAH UAH! Non puoi fregare ROOK come fregasti BISHOP! -
- ROOK -
The ROOK virus !!!
Understand?
DECEMBER VERSION
A variant of the DECEMBER VERSION
+---+-----------------------+---+
ƒ R ƒ n ƒ b ƒ q ƒ k ƒ b ƒ n ƒ R ƒ
+---+---+---+---+---+---+---+---+
ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ
+---+---+---+---+---+---+---+---+
ƒ R ƒ n ƒ b ƒ q ƒ k ƒ b ƒ n ƒ R ƒ
+---+-----------------------+---+

BitAddict.432

Description BitAddict.432

These are memory resident parasitic viruses. They hook INT 21h and write themselves to the end of the the files that are executed.
BitAddict.432,477
These are dangerous viruses. They copy their TSR copies into the video memory and infect only COM files. The 100th generation of the virus erases the disk sectors and displays:
The Bit Addict says:
"You have a good taste for hard disks, it was delicious !!!"

This viruses also contain the text:
BIT ADDICTMZ

BitAddict.512.a,b
These are dangerous viruses. "BitAddict.512.a" is encrypted one. On execution they infect the COMMAND.COM file. On installation they copy themselves into the system buffers and infect COM files that are executed.
"BitAddict.512.a" erases the disk sectors. It contains the text string:
Bit AddictCOMMAND.COM

The 100th generation of "BitAddict.512.b" erases the disk sectors and displays:
Bit Addict says:
"You have a good taste for hard disks, it was delicious!"

BitAddict.979,1190,1459,1601
Being executed these viruses search for the "COMSPEC=" string and infect the file that is pointed by that string, usually it is the COMMAND.COM file. On installation they copy themselves into the system buffers. Some of these viruses trace the INT 21h vector. Then these viruses infect COM and EXE files that are executed.
"BitAddict.1459,1601" erase the disk sectors, other viruses are harmless ones. They contain the text strings:
"BitAddict.979": COMSPEC=BIT ADDICT 2.00
"BitAddict.1190": COMSPEC=BIT ADDICT 2.10
"BitAddict.1459": COMSPEC= 12/19/91
"BitAddict.1601": COMSPEC=Bit Addict Version 3

Home