Virus Database

Implant.6128

Description Implant.6128

These are very dangerous memory resident polymorphic and stealth multipartite viruses. They affect .COM, .EXE and .SYS files as well as MBR of the hard drive and boot sector of floppy disks.
When an infected file is executed, the virus writes itself to the MBR of the hard drive and returns control to the host program. While loading from infected disk the virus hooks INT 12h, 13h, 1Ch, wait for DOS loading process and hooks INT 21h. Then it writes itself to the end of files that are closed, renamed and on Get/Set File Attributes DOS call. On execution a program the virus stores its name and infects on termination. On opening and reading from infected file the virus runs its stealth routine. On writing to infected files the virus disinfects it. If one of achieving utilities (ARJ, PKZIP, PKLITE, LHA) or BACKUP is active, the virus turns off its stealth routines. When TBAV or SCAN anti-virus is executed, the virus adds new options to the command line, and turns off anti-virus memory scanning. When Windows is executed, the virus adds a parameter to the command line to disable 32-bit disk access, it is logical for multipartite virus.
Some of "Implant" viruses also do not infect anti-virus programs that have names that begin with: 'TB', 'SC', 'F-', 'GU', as well as files with names that contain characters: '0' - '9', 'V', 'MO', 'IO', 'DO', 'IB'.
By hooking INT 13h the virus realizes its stealth routine on accessing to infected disk sectors. On reading from A: drive boot sector the virus infects it. To save its code the virus formats extended track on disk.
On June 4th the virus erases hard drive sectors, beeps and displays the texts:
<<< SuckSexee Automated Intruder >>>
Viral Implant Bio-Coded by Griyo/29A

In 1997 the "Implant.6128" virus was sent by somebody to Internet conferences in the NENA.EXE file that displays a picture of a naked girl.

Check other viruses! Be aware! Use Antiviral Software

Dialogos.1522

Description Dialogos.1522

This is not dangerous nonmemory resident parasitic virus. They search for the files:
C:COMMAND.COM
C:DOSCOMMAND.COM
C:MSDOSCOMMAND.COM
C:DRDOSCOMMAND.COM
Then for *.COM files, then write themselves to the end of the file.
On June 10th they display the message and halt the computer:
1984-1994 10 Aniversario de DIALOGOS-3 de RNE.
Dedicado a Ramon por estos 10 anos, y por venir a la SALA-4.
Buscad la belleza es la unica protesta que merece la pena,
en este asqueroso mundo.
10/03/95 Valencia ESPANA

Diametric.3514

Description Diametric.3514

This is a dangerous memory resident parasitic polymorphic virus. It copies parts of its code to DOS kernel and XMS memory, hooks INT 21h, and writes itself to the end of EXE files that are executed, opened and while accessing file attributes. The virus has bugs and in some cases halts the computer.
The virus checks the file name and does not affect the files (anti-viruses) according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE

The virus deletes the anti-virus databases:
ANTI-VIR.DAT AVP.CRC CHKLIST.CPS CHKLIST.MS CHKLIST.TAV CRC.SVS FILES.VVL
FINGERP.VVF IM.PRM IVB.INI IVB.NTZ MSAV.CHK SMARTCHK.CPS AV.CRC BOOT.CPS
BOOT.MS BOOT.NTZ BOOT.TAV IV.INI PART.NTZ

The virus uses a quite complex means while installing its TSR copy. First, it allocates a block of XMS memory and copies its code to there. It then obtains the address of the System FCB Tables, decreases their total number and copies its "XMS manager" (94h bytes) to there. The virus also scans the DOS kernel for specific code of the INT 21h original handler and stores its address. Before returning control to the host program, the virus hooks INT 22h. When the host program is terminated, the virus patches the DOS kernel with a FAR JMP call to the virus' INT 21h handler.
The virus keeps its main code in XMS, so that the code is not available for executing and the virus cannot infect the files. To fix this, the virus "XMS manager" copies the main virus code to the video memory at the address BBF0:0100. If this code is not necessary (there is no file to infect), the virus erases it. As a result, there are only 94h bytes of virus code in the DOS memory, and this code is hidden in the DOS kernel.
The virus also contains the text strings:
TBDRVXXX
[DIAMETRIC by Rajaat / Genesis]
[RTFM]

On May 16th, depending on its random counter, the virus executes itself by a video effect - displays "DIAMETRIC" and moves the letters to "MATRICIDE".

Home