Virus Database

ExeHeader family

Description ExeHeader family

These are memory resident parasitic viruses. They write themselves into free space ("cave") in EXE header, and the length of the file does not grow while infecting.
The viruses contain the text strings:
"Bane.256": [Bane]
"Bosco.a": BOSCO
"Bosco.b,d:" BOSCO D'SOUZA
"Bosco.c": ROYDEN D'SOUZA
"Dina.271": Dina v4.4r
"Dina.283": Dina v4.2r
"Dragon.400": DRAGON-2 Anti
"HeaderBug.324": C:DOSSMARTDRV.EXE =HeaderBug=
"Hobbit.416": HOBBIT
"Mike.252": (c) MIKE.
"Morality": MORALITY
"Mz1": Mz1 Copyright (c) 1992 by Ç¡ñ á
"Renegade.416": Renegade
"Retro": [Dying_Oath] by Retro
"Vlad.337": [Serrelinda], Rhince/VLAD
"XAM.278": XAM

"ExeHeader.VVM,222, 223, and 384" hook INT 13h, and infect files when the sector is reading/writing via INT 13h, and this sector contains a EXE header. These viruses use a stealth algorithm on the INT 13h level.
"ExeHeader.396" is a dangerous virus. It hooks INT 21h, and infects the files that are executed. It converts EXE files to COM format. After the 256th successful infection, the virus erases the disk sectors.
"ExeHeader.440" is a dangerous virus. It hooks INT 1Ch and 21h, and writes itself into EXE files that are executed or opened. In some cases, it infects COM files also, infects them the same as EXEs, and these files become corrupted. Depending on its internal counter, this virus manifests itself with a video effect.
ExeHeader.AntiArj
These viruses corrupt the sectors that contain the ARJ archive header.
ExeHeader.Clust
These are encrypted viruses. They contain the texts:
"Clust.a": [Clust2] JT / TridenT
"Clust.b": [Clust2B]
"Clust.c": [Clust2C]

ExeHeader.Bosco
These viruses search and delete the *.CHK files.
ExeHeader.Dragon.400
This is a stealth virus. It installs itself as a device driver, and intercepts the write and read calls to device drivers. If the accessed data contain a EXE stamp (MZ) at the beginning, the virus inserts itself into these data.
ExeHeader.Joan
This virus is very similar to "ExeHeader.Pure" (see below). It contains the text string:
> Joan v1.2 by KiKo NoMo of T.N.T. Taipei/Taiwan 1995/08 <

ExeHeader.Ming
In some cases, it corrupts files. Depending on system time, it displays the following message:
Written By Crazy Lord (Ming)
Made In Hong Kong

ExeHeader.Olya
This is a dangerous stealth virus. On April 26th, it overwrites the disk sectors with the string:
Olya Kibina

ExeHeader.Pure
These viruses install themselves into the High Memory Area by using a INT 2Fh function. Then these viruses trace and hook INT 13h. These are stealth viruses.
ExeHeader.SkidRow
When installing their TSR copies, these viruses copy themselves into one of the system buffers, and hook INT 13h. If the date and month number correspond, they display the following messages:
"ExeHeader.SkidRow.415,427":
This is Skid-Row Virus
Written by Dark Slayer
* in Keelung. Taiwan *

"ExeHeader.SkidRow.432":
This is Skid-Row Virus
Written by Dark Slayer
% in Keelung. Taiwan %

ExeHeader.XAM.278
This virus hooks INT 16h, and upon each keyboard stroke, it checks the system buffers for a EXE file header. If some of the buffers contain the EXE file header, the virus copies itself into that buffer.

Check other viruses! Be aware! Use Antiviral Software

BAT.Batalia4

Description BAT.Batalia4

This is the harmless non-memory resident parasitic BAT virus. It searches for BAT files in the current directory, then infectes them. While infecting a file the virus run the ARJ archiver to pack necessary files. If there is no ARJ.EXE file in PATH, the virus fails to replicate itself.
The virus contains two parts of code and data. The first part (the header) contains DOS commands:
@echo off
rem BAT4
arj x %0 >nul
call i
del sg
del i.bat
The second part (the rest) is an ARJ archive. This archive contains the I.BAT file that is the main virus code and the additional file named SG. The SG file contains several additional batch commands.
Thus any infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
When executed, the virus runs the ARJ archiver, extracts the I.BAT and runs it. This batch file then searches for not infected BAT files in the current directory and infects them.
While infecting, the BAT.Batalia4 virus appends its code to the end of files and does not modify the original file contents.

BAT.Batalia6

Description BAT.Batalia6

It is the harmless nonmemory resident polymorphic parasitic BAT virus. It searches for BAT files in the current directory, then infects them. While infecting a file the virus runs the ARJ archiver to pack the necessary files. If there are no ARJ.EXE file in PATH, the virus fails to replicate itself.
The infected batch file contains two parts of code and data. The first part (the header) contains five DOS commands, the second part (the rest) contains a random named BAT file that is compressed by using the ARJ archiver and a password. Thus the infected file contains the text strings (DOS commands) and the binary data (ARJ archive).
That BAT file also contains two parts: the main virus code (batch commands) and the compressed data. The compressed data contains several files: the host file, the virus data and code files. The infected files look as ARJ archive within ARJ archive:
+--------------------+
ƒBAT instructions ƒ - Header 1, startup virus code
ƒ--------------------ƒ
ƒ ARJ archive: ƒ - Random named BAT file packed with ARJ
ƒ +----------------+ ƒ
ƒ ƒBAT instructionsƒ ƒ - Header 2, main virus code
ƒ ƒ----------------ƒ ƒ
ƒ ƒ ARJ archive: ƒ ƒ - The set of files
ƒ ƒ +------------+ ƒ ƒ
ƒ ƒ ƒBATALIA6.BATƒ ƒ ƒ - Infection, polymorphic and random generator
ƒ ƒ ƒ ƒ ƒ ƒ routines
ƒ ƒ ƒhostfile.BATƒ ƒ ƒ - The original host file
ƒ ƒ ƒZAGL ƒ ƒ ƒ - Virus data file
ƒ ƒ ƒRULZ ƒ ƒ ƒ - Virus data file
ƒ ƒ ƒFINAL.BAT ƒ ƒ ƒ - Deletes the temporary files and subdirectory
ƒ ƒ +------------+ ƒ ƒ
ƒ +----------------+ ƒ
+--------------------+
Header 1 contains five commands that are selected from several variants and have different lengths, for example:
@echo off
rem arj e %0 %compec% -g5
C:COMMAND.COM nul /carj x %0 -g2
:nul arj x %0 -g7 C:COMMAND.COM
w HOST.BAT

@EcHo OfF
rem COMMAND.COM nul /carj x %0 -g1
%comspec% nul /c arj e HOST.BAT -g3
:echo C:COMMAND.COM nul /carj x %0
i HOST.BAT
The ARJ archive is encrypted with a random selected password, so the virus does not contain constant bytes, and as a result it is the first known polymorphic BAT virus.
When executed, the virus (header 1) runs ARJ archiver, extracts the second part (BAT file) and executes it. The code of the second part creates the temporary directory, extracts the files from the second archive to the temporary directory, then runs the searching, infecting and polymorphic routines, then executes the host file and deletes the temporary files and temporary directory.
The code of the virus contains the following text strings:
: Death Virii Crew & Stealth Group World Wide
: P R E S E N T S
: First Mutation Engine for BAT !
: Without ASM !
: [BATalia6] & FMEB (c) by Reminder

: // __ _
: +-------- /// ------+ ___ Magazine _ for VirMakers
: ƒ+++-++- // // -+-+++ƒ ___ ________________ _ ___________________ _ ________
: ƒ++ ƒ ƒ ///// ƒ ƒ ƒƒƒ __ ___ ___ ___ ___ ___ ___ ___ ƒ _ ___ _ ___ ___
: ƒ++ - + ///// ++- ++ƒ _ _ _ __ __ _ _ __ _ _ _ _ _ _ _ _ _
: +------ // // -------+ _ _ _ _ ___ ___ _ ___ ___ __ ___ _ ___ ____
: GROUP // // WORLDWIDE _ _________________ _______________________________
:
: Box 10, Kiev 252148
: Box 15, Moscow 125080
: Box 11, Lutsk 263020
:
: R E A D I N F E C T E D V O I C E
:
: (c) by Reminder (May 22, 1996)

Home