Virus Database

Flip.2343

Description Flip.2343

As an infected file is started, these viruses infect MBR of the hard disk. To do this, the viruses decrease the size of the logical drive and write the old MBR and their continuation onto the new free space. The viruses infect files (COM and EXE) when they are loaded. "Flip"s appear polymorphic inside files; they are encrypted, and the part used for decryption doesn't have a signature longer than two bytes.
On the 2nd of each month at 4 p.m., these viruses 'turn the screen over': change (up <-> down, right <-> left) places of characters on the screen and turn them over ('/' -> '\' and so on).
The "Flip.2343" virus substitutes the following commands in files:
MOV DX,Data_1
MOV Data_2,DX
MOV DX,Data_3
MOV Data_4,DX

(you can find this command set in the subroutine of COMMAND.COM, which controls output to the screen of the DOS functions FindFirst and FindNext operation results) with the call of INT 9Fh. The virus controls the INT 9Fh calls and "shortens" the size of the files. These files must be recovered from their backup copies.
The viruses contain the text "OMICRON by PsychoBlast" and hook INT 10h, 1Ch, 21h, and 9Fh.
"Flip.Madrid" formats disk sectors and displays: "RAISTLIN I from Spain". It contains the internal string also: "MADRID a favor del consumo de costo!".

Check other viruses! Be aware! Use Antiviral Software

MultiLevel.3072

Description MultiLevel.3072

It is a very dangerous memory resident polymorphic and stealth parasitic virus. While executing an infected file the virus traces INT 21h to get its original address, hooks INT 22h (DOS function Terminate), releases the control and waits for termination of the host program. Then it hooks INT 21h and stays memory resident.
While accessing to the files the virus infects them. While reading, writing or opening an infected file the virus calls the stealth routine, and in some cases disinfects the file. While infecting a file the virus generates the polymorphic code that contains several decryption loops. The number of these loops depends on the system timer.
The virus checks the file name and does not infect the files:
*AIDS*.EXE *CHKD*.EXE *WEB*.EXE *SCAN*.EXE *PROT*.EXE *AR*.EXE *ZI*.EXE
*TB*.EXE *COMM*.COM *WIN*.COM

Depending on the system date (Sunday 2nd, Monday 4th, Tuesday 6th, Wednesday 8th, Thursday 10th, Saturday 12th) the virus erases the hard drive sectors and reboots the computer.
The virus contains the text strings:
Multilevel Encryptor v1.0. Generation:
-=Killer=-
8 in 1

Muminki.902

Description Muminki.902

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files in current directory, then in the C: and C:DOS directories, then writes itself to the end of the file. Depending on the system timer the virus displays one of the messages and returns control to DOS:
IZK=Muminki
;-)) Big smile for Guciu,Ganz,MadMi,Toros etc.$
Out of memory

The virus also contains the text string:
*.com C:*.com C:DOS*.com COMMAND.COM

Home