Virus Database

Anarchy.6093

Description Anarchy.6093

This is a very dangerous memory resident multipartite virus infecting COM, EXE and Word 6/7 DOC files. This is the first known parasitic virus that infects both COM/EXE files and Word documents. The virus contains the text:
JAN FAKOVSKIJ,USSR,1997
JANKA DYAGILEVA

The virus infects executable COM and EXE files in a standard way - writes itself to the end of the file and modifies file header (entry point address, e.t.c.). While infecting DOC files the virus parses the OLE2 file structure, converts document to template, creates the macro area and writes to there the AUTOOPEN macro.
In DOS executable files the virus is polymorphic one - the code of virus is encrypted and polymorphic decryption loop restores it before virus installation routine takes control. While installing memory resident the virus uses quite complex way to detect its TSR copy to prevent duplicate installation. The virus opens the file with name "JANKA DYAGILEVA". If DOS returns error flag (there are no such file), the virus installs itself memory resident. If the virus is already installed, it emulates presence of that file, and next virus copies do not installs themselves memory resident. The virus also looks for "COMSPEC=" and "WinDir=" strings in environment area and infects COMMAND.COM or/and WIN.COM.
If MS Windows is not active, the virus then allocates a block of system memory, copies itself to there and hooks INT 21h, 2Fh. If the virus is run under MS Windows, the virus checks specific addresses in XMS memory and looks for Virtual Memory Manager (VMM32.VXD). If its code presents there, the virus patches it to hook not only DOS INT 21h calls, but also Windows95 file access calls. Then the virus uses that hook to hide infected files. This routine is not bugs-free - the virus halted my Win95 test computer on testing, and replicated itself only under DOS.
The virus then infects COM, EXE and DOC files that are executed (COM/EXE) and opened. The virus also hooks file creation and infects them on closing. The virus is stealth on reading from infected COM and EXE files and on FindFirst/Next DOS calls. On writing to infected COM and EXE files the virus disinfects them. The virus disables its stealth routines when archivers ARJ, ZIP, RAR and RAR20 are active, or anti-viruses AIDSTEST.EXE, WEB.EXE, DRWEB.EXE are run. This is one of the first known viruses that support not only standard DOS file names, but also long ones (extended DOS functions to access long-named files).
When infected document is opened, the virus AUTOEXEC macro takes control. That macro creates a temporary EXE file with its code inside, and executes it. That file then looks for "COMSPEC=" and "WinDir=" strings in environment area, infects COMMAND.COM or/and WIN.COM and exits. The AUTOEXEC macro then deletes this EXE dropper and returns control to MS Word.
On May 9, April 8, 30 the virus erases random selected hard drive sector with a text in Russian. On writing to disk file the virus scans data buffer for some data (the text in Russian "Lybertsy" and "B.Eltzyn"(?) and erases random selected disk sector, if there is any of these strings.

Check other viruses! Be aware! Use Antiviral Software

Jorgito.730

Description Jorgito.730

This is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed.
On March 14th the virus decrypts and displays the message:
Jorgit_ Was Here
It also displays:
Córdoba
Argentina

Joshi.a

Description Joshi.a

These are dangerous stealth viruses. They infect floppy disks Boot-sectors and hard disk MBR during an access to them (INT 13h, ah=2,3,4,0Ah,0Bh). The viruses include two parts - the first part contains the body of the virus and is placed onto the boot sector (or MBR) of the disk, the second part contains the original first sector of the infected disk and the other eight sectors of the virus, and occupies the 40th or 80th track of the floppy disk (the virus uses nonstandard format); on the hard disks the second part of the virus body begins from the second sector of the starting track. The viruses can destroy FAT when they save their own copy on the disk.
The viruses hook INT 21h. Just after starting (rebooting of the system) they permanently check the interrupt vector 21h, and if it is changed the viruses read the new value of the vector. The viruses hook INT 9h (keyboard). When the ALT-CTRL-DEL keys are used to boot the system, the viruses will emulate rebooting: clear the screen and so on. The viruses will stay resident even if you boot the system from a clean and write-protected floppy disk.
On the 5th of January the viruses will display the message "Type `Happy Birthday, Joshi'!" and will wait for the entering "Happy Birthday, Joshi!" from the keyboard. The viruses hook the INT 8, 9, 13h, 21h.

Home