Virus Database

Amber

Description Amber
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are closed. This virus is stealth on FindFist/Next calls. When several anti-viruses or file compressing utilities are run (ADINF, WEB, AIDSTEST, SCAN, ARJ, ZIP, LHA, RAR), the virus disables its stealth branches. The virus contains the text strings:
NFEBSTANRJIPHAAR
[·This is only ForeWord·]

Check other viruses! Be aware! Use Antiviral Software

Div.725

Description Div.725

It is a harmless nonmemory resident encrypted parasitic virus. It uses anti-debugging tricks. When an infected file is executed, the virus searches for COM files, then writes itself into middle of the file. It then leaves its copy in the system memory, hooks INT 21h and intercepts file accessing calls, but does not infect files. It seems that virus author did not complete this part of the virus code, so the virus is marked as "nonmemory resident".
The virus splits its code into four blocks (the second block is encrypted) and writes them to file at fixed offsets: 0, 100h, 300h, and to the end of the file. Beforehand the virus saves all erasing data to the end of the file.

DIW.386

Description DIW.386

These are non-memory resident parasitic viruses. They search for .COM-files, then write themselves to the end of the file. The viruses contain the following text string:
*.com

and:
"DIW.386": *.dbf
"DIW.389": *.exe
"DIW.512": *.dbf aidstest.* adinf.* *.txt *.doc
"DIW.565": *.dbf clip????.* ?link.* *.obj *.arf
"DIW.597": ELEFANT

"DIW.212,229,288" are harmless viruses, and they do not manifest themselves in any way.
"DIW.377", dating from 1999, halts the system. It also resets the active partition flag in the MBR of the hard drive.
"DIW.386,389" checks the system date and time, and if the day number is equal to month number, e.g, 9 September = 9/9, and if the hour counter is equal to the minutes counter, these viruses search for files, and delete them:
"DIW.386": *.BDF-files
"DIW.389": *.EXE-files

"DIW.393" displays:
DIW 1.0
*** MORNING STAR ***
Press any key to continue all

This virus also contains the text strings in Russian.
"DIW.428" changes the video palette registers. "DIW.480" "shakes" the screen. "DIW.488" changes the settings of the system timer.
"DIW.512,565" searches for files and deletes them from the following filenames:
"DIW.512": *.DBF AIDSTEST.* ADINF.* *.TXT *.DOC
"DIW.565": *.DBF CLIP????.* ?LINK.* *.OBJ *.ARF

"DIW.555" reboots the system or displays the messages in Russian. This virus also contains the following text string:
DIW 2.0

"DIW.597" "eats" the screen. "DIW.600" deletes files:
CHK*.* *.___
[NOTE: "___" not displayable ASCII chars]

On the 13th of any month, this virus deletes *.EXE-files, on November 28th, it corrupts MBR and displays the following message:
User PC - I N F E C T E D !
Call Lozinsky !
(c) VIRUSOFT Inc.

Home