Virus Database

IntOv Family

Description IntOv Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and infect COM and EXE files that are executed or opened. While infecting a file the virus writes its "loading" code (69h bytes) to the entry point of the file, then writes the rest of its code to the end of the file. When an infected file is executed, the virus loader reserves a block of the system memory, copies itself into there, gets the name of the host file and reads the rest of the virus code. Then the virus restores the code of the host file and releases the control.
The viruses infect only the COM files that contain the JMP NEAR (E9h) instruction at the beginning of the file. While infecting EXE files the viruses check the relocation table to prevent overlapping the virus loading code with relocated words.
The viruses have bugs and may halt the system while infecting a file. The viruses contain the text strings:
"IntOv.685":
COMEXEexecom
[IntOv]

"IntOv.708":
COMEXEexecom
[Internal Overlay, Tcp / 29A]

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.SuperIIs

Description Macro.Word97.SuperIIs

This virus contains five macros in the module "Modul1": AutoOpen (in documents) or AutoClose (in NORMAL.DOT), ViewVbCode, ToolsMacro, Flitnic. The virus infects the global macros area on opening an infected document (AutoOpen), and copies itself to other documents on closing (AutoClose).
While infecting, the virus exports/imports its code via the FLITNIC.DRV file that is created in the Windows system directory. The virus detects already infected files by the text "'MYNAME=SUPERIISV1.0" that presents in virus code.
This is the stealth virus. On viewing macro code by using the ViewVbCode function, the virus copies the infected NORMAL.DOT to the Windows system directory with the LO.SYS name, creates and runs the DOS batch file LO.BAT that in loop monitors presence of temporary Word file, i.e., waits for the end of editing. This batch file then copies an infected LO.SYS file back to the NORMAL.DOT. As a result, the virus is able "to survive" foreever if its code is removed from the global macros area.
The virus contains the comments:
First ever used this kind of Stealth
Written by Flitnic. I haven't yet included a payload!

Macro.Word97.Swatch.b

Description Macro.Word97.Swatch.b

Swatch.b is a Word97 macro virus. It contains three macros: AutoOpen,RepToDocs, RepToNormal.
There is also a macro FileSave present, but not with the given version. When an infected file is opened, the virus creates a temporary archive named
Tmp.bas

in the C: drive root directory where its code is written. After this it imports a temporary file into normal.dot, thus allowing other MS Word files to become infected. Oncethe current document is infected the virus proceeds to delete the Tmp.bas file from the disk.
In general this virus does not contain any destructive functions.

Home