Virus Database

Int13

Description Int13

It is a very dangerous memory resident parasitic stealth virus. It hooks INT 13h, 21h and writes itself to the beginning of COM files that are accessed with FindNext DOS function. The virus uses quite exotic methods of infection that might result in computer failure and lost of files.
While infecting the virus moves 512 bytes of the file beginning to the file end, writes itself to the beginning of the file, and exits infection without increasing the file length. As a result the original header of the file is out of the file's body, but the file is not corrupted.
To fix that problem the virus stores the physical (INT 13h) address of the sector that contains the original file header, and then while reading from the disk (INT 13h) the virus "shows" the sector with not infected file header instead of the real one. This is stealth algorithm at INT 13h level. So, DOS loads infected files as not infected ones when the system is infected with that virus.
To get the address of original file header the virus writes it to the end of the file by INT 21h call, DOS receives that call and translates it to INT 13h format, then the virus intercepts that INT 13h call and stores the values of corresponding registers (i.e. address of that sector).
While writing to the file the virus also uses INT 13h calls, so has not to handle file attributes, time, and write-protect error (INT 24h). The virus contains the string:
Int 13

Check other viruses! Be aware! Use Antiviral Software

SpiceGirl Family

Description SpiceGirl Family

These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM files (except COMMAND.COM) that are accessed. The viruses are encrypted starting from 1619 bytes version. Starting from 2123 bytes version they are semi-stealth - on opening an infected file they create temporary file, write to there disinfected copy of original file, and return "handle" of disinfected copy instead of original file. On closing these viruses delete the temporary file.
The viruses use new way to avoid detection - the infected files have no entry point (start code). The address of entry point in infected files is out of file body and it is impossible to reach virus code by parsing EXE header. To realize this method the virus uses several PSP (Program's Segment Prefix) and EXE header tricks.
The format of virus code is EXE, i.e. the virus as a program is EXE program with EXE header, relocation table and so on (as a result infected COM files are of EXE internal format). EXE header fields in virus (initial CS and IP) are patches so, that entry address points not to file code, but to PSP data (i.e. out of file). At that address PSP contains RET FAR code that follows the call to INT 21h handler. So, the virus entry address points to RET FAR code, and control then will be passed to code that is pointed by stack. To pass the control to its real entry code the virus has initial stack registers (SS and SP) in its EXE header and stack data that points to real entry:
+------------+ PSP Control flow
0000 ¦CD 20 ¦
all. ¦ ¦ ¦
0050 ¦CD 21 ¦ ¦
0052 ¦CB / RET FAR¦ Entry address, DOS will <-----+
.... ¦ ¦ bring control to here -----+
¦
0100 +------------+ Virus code (file image) ¦
¦ ¦ ¦
¦------------¦ ¦
¦Stack ¦ Stack data points to ---->¦
¦ ¦ real entry ¦
¦------------¦ ¦
¦ ¦ Real virus entry code <-----+
¦ . . . ¦

The virus contain the text strings:
What? 'Error: invalid program'? Me? Fprot, are you crazy? :)
And you, Avp, 'EXE file but COM extension'. What a deep scan. ;)
Spice_Girls virus causes problems to your scan engine eh? :)

Spirit.1710

Description Spirit.1710

It is a dangerous memory resident parasitic virus. It traces and hooks INT 21h, then it writes itself to the beginning of COM and to the end of EXE files that are accessed. The virus checks the file name and does not infect the files:
COMMAND.COM F-PROT F-TEST VIR DIR2CLR
IMV ANTI DOCTOR SCAN CLEAN IVC CHKDSK

Depending on the system date and time the virus erases some sectors of the hard drive. The virus also contains the text strings:
COMEXE
** (C) The Evil Spirit ** Gabrovo city, Bulgaria. Last_change : 28.05.1993

Home