Virus Database

Holiday.3000

Description Holiday.3000

This is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. After infecting a file the virus tries to infect COMMAND.COM file of the current drive.
On March, 3th the virus displays the message:
+----------------------------------------------------------------+
ƒ ATTENTION! ƒ
ƒ I'm very sorry, today is my holiday. ƒ
ƒ So, I can't serve you, cause I want to play on your computers. ƒ
ƒ ƒ
ƒ DON'T TURN OFF YOUR COMPUTER UNTIL TOMORROW, ƒ
ƒ OR YOUR DATA WILL BE LOST!!! ƒ
ƒ ƒ
ƒ I'll be back to serve you tomorrow. ƒ
ƒ Thank You, ƒ
ƒ ƒ
ƒ AAA ƒ
+----------------------------------------------------------------+

And then wait for March, 4th. Then the viruses display the message and reboots computer:
Thank You for playing, see youall
Please, hit ENTER!
The virus also contains the text string:
apa saja

Check other viruses! Be aware! Use Antiviral Software

Linux.Satyr.a

Description Linux.Satyr.a

This is a harmless non-memory resident parasitic Linux virus. The virus is a Linux executable module (ELF file). It searches for other ELF files in the system, and then infects them. The virus infects files in the following directories:
current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes itself to the file header. To release control to the host file, the virus "disinfects" it to a temporary file and executes it.
The virus does not manifest itself in any way. Its body contains the "copyright" text string:
unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.cz

Linux.Vit.4096

Description Linux.Vit.4096

This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. This is the second known Linux virus, the first being "Linux.Bliss".
Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.
When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers.
Clean file: Infected file:

+---------------+ +---------------+
| ELF Headers |--+ | ELF Headers |--+
| | | | | |
|---------------| | |---------------|<-+ virus entry
| Section 1 |<-+ entry +-| Virus | address
| | address | | - - - - - - - |
|---------------| +>| Section 1 |
| Section 2 | | |
|---------------| |---------------|
. . . | Section 2 |
|---------------| |---------------|
| Section n | . . .
+---------------+ |---------------|
| Section n |
+---------------+

The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.
While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).

Home