Virus Database

Hi Family

Description Hi Family

These are memory resident parasitic viruses. Upon being executed, they decrease the DOS memory size (word at address 0000:0413), and install themselves into the memory by correcting the MCB blocks. Then they hook INT 21h, and write themselves to the end of EXE files that are executed. "Hi.378" infects COM files only.
The viruses contain the following text strings:
"Hi.460,512": Hi
"Hi.549": ACE OF BASE
"Hi.671": ACE OF BASE 2
"Hi.802": AOB 3

"Hi.378, 460," and "512" are harmless viruses, and do not manifest themselves in any way.
"Hi.549" hooks INT 17h, and disables printing. On October 31st, it corrupts CMOS memory and deletes files that are executed.
"Hi.671" hooks INT 17h, and changes the symbols that are printed: 'V' -> 'D', and 'b' -> 'j'. On October 31st, it deletes files that are executed. On August 29th, it disables INT 14h (COM ports).
On August 30th, "Hi.680" erases the disk sector, and "Hi.764" halts a computer. These viruses display the following messages:
"Hi.680":
Ha!Ha!!Ha!!!
You Have The Raveica Virus V1.3!

"Hi.764":
Ha!Ha!!Ha!!!
Ai un virus!
Pt. obtinerea devirusorului grabiti-va sa-l felicitati
astazi pe Claudiu Raveica cu ocazia zilei de nastere
Adresa:Str:Marasesti Bl:11 App:15
Oras:Bacau Jud:Bacau Cod:5500
Bing cu bang

"Hi.802" sometimes hooks INT 14h and 17h, and disables printers and COM ports.
"Hi.892": starting from October 24th, this virus hooks INT 08h and displays the following message:
NU MAI MISCA MOUSE-ul!
CA "A LOVESTI PESTE
COAIE

"Hi.895": starting from October 2nd, it hooks INT 08h (timer) and sometimes plays a tune.

Check other viruses! Be aware! Use Antiviral Software

Antibase.1900

Description Antibase.1900

It's a not dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself at the beginning of COM- and into the middle of EXE-files which are accessed. It displays the message:
********************************
<<<< AntiDBASE by Michael >>>>
********************************
So what?
So fuckin' what?
I've been a nasty, I've been a brighter
I've been a wizz for two - So what?
And I've been here, I've been there
And I've been here and fuckin' there - So what?
_______________________
So What, Metallica 1992

It contains the additional text strings:
Kill'em all
Seek&Destroy
This program is written in the city of Sofia by Michael.
March 1994
HEY,STUPID,GET AWAY**Unallocated

Anticmos

Description Anticmos

It is a dangerous boot and MBR infector. On booting from infected floppy it infects the MBR of the hard drive, then it hooks INT 13h and infects the boot sector of the floppy disks. While infecting a disk the virus does not save the original sector. Sometimes it erases the CMOS memory.
"Anticmos.Lixi" contains the string:
I am Li Xibin!

The virus infection routine is a little bit buggy: while infecting boot sectors on floppy drives it overwrites a part of boot sector system data (miscellaneous fields: volume label, serial number, file system ID, and some other fields that are useful on hard drive boot sector only). These data are overwritten by virus installation routine.
While disinfecting affected floppy disks many anti-virus programs leave this part of virus code as-is, and these "virus traces" can be detected by other anti-virus programs (for example, AVP detects them as an unknown variant of "Anticmos" virus). The AVP anti-virus disinfection routine cleans the virus correctly: it removes not only the rest of virus code, but this installation routine too, and floppy disks disinfected by AVP do not cause any alarms.

Home