Virus Database

KOV Family

Description KOV Family

These are very dangerous nonmemory resident parasitic viruses. They search for COM and EXE files, then write themselves to the end of the file. The viruses do not infect the files HW*.* and CO*.*. If file with one of th @ @ @ (Type_E/Last Ver.) VIRUS...
(c) KOV (Knight Of Virus)/ Corea 9192/04/02

"Next.1785,1798":
The Return of N.EX.T part I The Being ...
Message from SVS(Seoul Virus Society) 1994/07/26

KOV.Wanderer
These are memory resident viruses. They hook INT 21h and write themselves to beginning of COM and to the end of EXE files that are accessed. "Wanderer.1768" also searches for files and infects them.
"Wanderer.1347" is a harmless virus, it does not manifest itself in any way. "Wanderer.1332" drops a trojan jorse. Other viruses depending on the system time erase disk sector, the CMOS and halt the computer.
The viruses contain the texts:
"Wanderer.1347": [I am a Wanderer ,May 30th,1994 Korea]
"Wanderer.1589":
[The KEEPER by SVS in KOREA,1994/07/08]
Don't use any anti-virus program to cure it.
"Wanderer.1591":
[The KEEPER by SVS in KOREA,1994/07/11]
Warning! Don't use any anti-virus program to cure it.
"Wanderer.1768":
*.EXE
[I am a ASSASSIN by SVS in KOREA,1994/07/16]
Warning?! Don't use any anti-virus program to cure it.

Check other viruses! Be aware! Use Antiviral Software

Alia.1023

Description Alia.1023

It is a harmless memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or opened. The virus contains the internal text string:
~ALIA~

Alicia

Description Alicia

It is a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files. While hooking INT 21h the virus patches the original INT 21h handler with the Jmp_Virus instruction. The virus then infects files that are found while searching for files in disk directories (DOS functions FindFirst/Next).
The virus also affects archives and adds to them its infected dropper - a dummy program infected by the virus. The name of dropper is selected randomly like listed below, all these names are real ones that were detected on replicating the virus on test PC:
HDBK.COM, HDNK.COM, HDDK.COM, HDOK.COM, HDPK.COM, KDHD.COM

The virus detects archive files by using filename extensions. The list of accessed extensions looks like follows: ZIP, ARJ, RAR, ACE, HA, ARC, PAK, LZH, LHA, ZOO. While infecting archives the virus parses their internal formats, creates new record and writes infected dropper to there. The virus supports eight archive formats: ZIP, ARJ, RAR, ACE, HA, PAK/ARC, LZH/LHA, ZOO (PAK/ARC and LZH/LHA use the same archive formats).
While testing virus in our lab we could not to infect PAK/ARC archives. We also could not extract infected droppers from LZH/LHA archives: the original archivers halted the system because of corrupted archive contents, the reason of corruption were bugs in the virus routines. Other archives were infected and droppers were extracted without any problem.
On May 24, or on executing and infected dropper the virus displays letter-by-letter the followed string, all letters are enlarged while displaying:
A l i c i a # Version Gamma 0 . 1 # by Star0 I K X In honor of B0z0 ikx

Home