Virus Database

Evolution.2770

Description Evolution.2770

This is a dangerous memory-resident parasitic polymorphic stealth virus. On execution it copies itself into UMB or conventional memory, traces and hooks INT 13h, 21h, hooks INT 9 and writes itself to the end of EXE files that are executed, renamed or closed.
On file opening the viruses execute stealth routine which opens the file, loads it into the memory and executes trace routine that runs through decryption loop and restores the original contents of the virus body including necessary fields of header of infected EXE file. Then the virus restores EXE header of infected file (by using decrypted data) and truncates it to original length, so the infected file is disinfected on opening under memory resident copy of the virus.
There are two interrupts are hooked by the virus to call trigger routines. The first one is INT 13h. On each 256th call to INT 13h with AH=2, AH=3 (read/write sector) the virus executes damage routine that sets random selected bit of data buffer to complementary value.
The second "trigger" interrupt is keyboard handler INT 09h. On entering of ALT, CTRL or DEL key the viruses check their internal counters and system timer and depending on these values display the message (the first virus displays it on Chinese), delays and reboots computer:
-=_ Evolution 2001 Virus was done by lord Salivantis - Nov/Dec 1993 _=-
This virus uses i386 extended registers and several other new Intel instructions. On installation the virus checks the processor mode. If processor is in real mode (DOS was loaded without such memory managers as QEMM or EMM386 and DOS session is not under MS-WINDOWS, OS-2, and so on) the virus calls special algorithm to hide itself in the memory. It moves Interrupt Vectors Table into body of viruses TSR copy (it reserves enough of memory to save code and data - about 7K) and loads address of this copy into pointer to Interrupt Descriptor Table by LIDT i386+ instruction.
As the result the processor will use that area with copy of Interrupt Vectors Table to call interrupt vectors instead of using original table which is placed at addresses 0000:0000-03FF. All addresses of interrupts will be loaded from inside of the virus (copied table) by main Intel processor. You can fill by zero original Interrupt Vectors Table but computer will work without problems - these pointers will not be used by computer, that data is free for use now.
The virus hides itself in the memory very well by that trick. Standard debugging and anti-virus utilities will not work correctly because debuggers cannot set the trace vectors INT 01/03, and antiviral utilities can not locate real addresses of "virus-alarm" interrupts INT 13h, 21h, 25h, 26h. These utilities will directly access to Standard Interrupt Table (at addresses 0000:0xxx) or access to DOS functions Get/Set Vector of INT 21h.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Snickers

Description Macro.Word.Snickers

This macro virus contains two macros: autoopen and autoclose. On AutoOpen it infects documents that are loaded into Word. After infection and on AutoClose the virus mixes the characters within current document. It also creates new variable in documents:
snickers=mmmhh

Macro.Word.Socks

Description Macro.Word.Socks

This is a Word macro virus. It contains four macros: AutoOpen, SOK, ToolsMacro (stealth), ToolsCustomize.
The infection routine is placed in SOK macros, which is called by AutoOpen macro on opening a document. The virus does not infect the NORMAL.DOT - it affects the files that are listed in recently used file list.
On September 9 depending on the system random counter it erases the files by using one of masks: *.EXE, *.COM, *.OVL, *.BIN, *.TXT, *.DOC, *.DOT, *.ZIP, *.ASM, *.DLL.

Home