Virus Database

Ithaqua.8030

Description Ithaqua.8030

It is a dangerous memory resident multipartite polymorphic virus. It infects the MBR of the hard drive, COM and EXE files that are executed. While infecting the MBR the virus encrypts its original contents, as a result the FDISK/MBR command destroys it. The virus also uses other tricks (anti-debugging), it is polymorphic in files as well as in infected MBR sector. The virus has many bugs and often corrupts files and the MBR while infecting them.
The virus uses quite complex ways of infection, they are different under different DOS versions. Under DOS 7+ (Windows) the virus infects EXE files only and does not touch MBR and COM files in any way. It encrypts itself with 512-bytes polymorphic code and writes the result to the end of files. As a result the infected EXE files length grows by 8542 bytes.
Under DOS 6 and lower the virus infects COM files as well as EXE, and affects the MBR when an infected file is run for the first time. While infecting EXE files the virus looks for "cave" (the area of constant data) 8030 bytes of length, and writes itself to there if such cave is found. In this case the file length does not grow. In case of COM files the virus writes itself to the end of the file. To get control when the infected file is executed, the virus either uses standard method (writes JMP_Virus instruction to the file header), or loads the file, emulates it (executes the file's code) for some time, then writes the JMP_Virus command to some place in the middle of the file. In second case the virus encrypts itself with simple XOR loop, and does not run its polymorphic engine, the file length in this case grows exactly by 8030 bytes.
Under DOS 6 the virus also uses emulator (virtual execution routine) to get the INT 21h DOS address, and patches this address with JMP_Virus_Handler command.
On April 29th the virus manifests itself by a video effect: it turns the computer to video mode, displays the text:
[Ithaqua] virus by Wintermute/29A

and then covers this text with "falling snow".
The virus also contains the text strings:
I'm Ithaqua,all that who walks over the wind
Welcome to my world, adventurer. Follow me.
Love. Hate. I'll be awaiting you on the dark side, watching the nonsense.

Check other viruses! Be aware! Use Antiviral Software

Lion.996

Description Lion.996

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files except COMMAND.COM, then writes itself to the end of the file. The virus contains the ID-text "Lion". Depending on the system date and time the virus decrypts and displays the message, then it reboots the computer:
Kangaroo crossing ERROR at t mod 13
please contact your Dealer

LionKing.3531

Description LionKing.3531

It is a dangerous memory resident stealth polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or closed. When an infected file is opened, the virus disinfects it. While installing and infecting the virus avoids some anti-virus programs, while executing some utilities it disables stealth routine. The virus checks the system environment and infects COMMAND.COM file. Depending on the system date the virus displays the message and erases the disk sectors:
Ja som virus Lion King
Formatujem ti disk lebo devastujes prirodu

It also contains the text strings:
Vypadni z tejto casti RAM!
TBMEMXXXTBFILXXXTBCHKXXXTBDSKXXX
VIRSCANCLEAANTICPAVGUARSHIELKITTRAPPASCSOLOTBAVMSAV
COMSPEC=
tbscan tbsetup cpav msav enav scan viverify avg nodex
pkzip arj uc lharc arc lha
chkdsk

Home