Virus Database

Ignorance

Description Ignorance

It is a harmless memory resident multipartite encrypted virus. While loading from an infected floppy disk or MBR it hooks INT 13h, waits for DOS loading and then it hooks INT 21h. While executing an infected file the virus infects the MBR of the hard drive, then hooks INT 13h and 21h. By hooking INT 13h it realizes stealth algorithm on reading the infected MBR, it also uses INT 13h for floppy boot sectors infection. By hooking INT 21h it writes itself to the end of COM, EXE and SYS files that are accessed. The virus contains the text strings:
Ignorance is Strength
Freedom is Slavery
War is Peace
COMEXEBINOVLSYSSCCLVSF-
[1984] bY [TäLöN< >NûK_] '93! THiS iZ iNFeCTi0N #00000032!
Greetz RS/NuKE!

where "#00000032" is virus generation number, that value may be not the same in different infected files/sectors. "COMEXESYSBINOVL" is the string of the file name extensions which are "infectable". "SCCLVSF-" is the string of the anti-virus software names (two bytes per name: SCAN.EXE, CLEAN.EXE, e.t.c.). While executing these files the virus disables some of its semi-stealth algorithm branches.

Check other viruses! Be aware! Use Antiviral Software

Asterisk

Description Asterisk

It is a dangerous memory resident boot virus. It copies itself at the address 7000:7C00 (it causes system crash in a lot of cases), hooks INT 13h, 17h and writes itself into MBR of hard drive and floppy boot sectors. In some cases it plays with the printer, and displays the asterisk '*'.

Astra Family

Description Astra Family

Astra.498,510,521
These are not dangerous memory resident parasitic viruses. They move themselves into Interrupt Vectors Table at the address 0020:XXXX, hook INT 21h and infect SYS-files of the current directory on every call to DOS function FindFirst. The viruses write themselves at the file end, in which they modify only interrupt subroutine address.
The viruses of this family contain the text "(5)" and depending of the virus version one of the following strings:
(C) AsTrA,1990,JPN
(C) AsTrA,1990
(C) AsTrA,JPN
(C) AsTrA, 1991

The infectors display one of the messages:
I like cold flavour !
I like fragrant smell of flower!
I like a flower's smell!

"Astra.7821" displays a picture in graphic video mode.
Astra_II viruses
These are dangerous memory resident encrypted parasitic viruses. On execution they search for not infected files and hit them, hook INT 21h and stay memory resident. Then these viruses infect the files are executed. "Astra_II.505,882,976" hit COM-files only, other "Astra_II" viruses hit both COM- and EXE-files, "Astra_II.1556" hits COM-, EXE- and SYS-files.
In depending of system timer they encrypt (XOR 55h) Disk Partition Table of hard drive's MBR, then some of them change video font table. They contain the internal strings:
"Astra_II.505": (C) AsTrA, 1991 (1)
"Astra_II.882,976": (C) AsTrA, 1991 (2)
"Astra_II.927": (C) AsTrA, 1991 Child's Play (3)
"Astra_II.1010": (C) AsTrA, 1992 (3)
"Astra_II.1556": Child's Play (C) AsTrA
4D *.COM *.EXE *.SYS (4)

Home