Virus Database

Ksenia.3599

Description Ksenia.3599

This is a dangerous memory resident polymorphic and stealth parasitic virus. It hooks INT 9 and 21h, and writes itself to the end of COM, EXE and SYS files that are accessed. Depending on the system conditions, the virus either hooks INT 21h by a standard method, or traces it and patches it with INT xxh code, where "xx" is randomly selected from the list of unused interrupts.
To detect an already infected file, the virus uses a file date stamp: the current year plus 100. Upon reading infected files and file searching functions, the virus runs its stealth routines; and upon writing to infected files, the virus disinfects them. The virus checks the names of victim files according to the list:
PKZIP,RAR,ARJ,LHA,ARC,DEFRAG,SPEEDISK,CHKDSK,BACKUP,MSBACKUP,SCANDISK,NDD

In case any of these files has been executed, the virus disables its stealth functions. In case the WIN.COM is executed, the virus adds the "/d:c" parameter to the command line. The virus does not infect files if their names begin with the strings:
FI,SC,VS,TB,DR,AV,F-,FP,AD,CO

On Mondays, if a file is executed at 5 minutes past any hour, the virus calls the Novell NetWare function SEND BROADCAST MESSAGE, and sends the message to the Net:
External System Error #05. Connection refused.

On Monday at 17:xx, the virus calls the SYSTEM LOGOUT Novell function.
The INT 9 (keyboard) virus hooker checks keyboard scancodes. If the 'KSENIA' text is entered, the virus displays the text, and halts the computer:
123 4 5 Deadman

On May 5th, when a current disk number is changed, the virus erases data on the current disk.
In additio to the strings listed above, The virus contains the texts:
[KSENIA]
Version 0.99 alpha
Copyright (C) 01/02/99 10:29:34 by Deadman
The Global Project devoted to Ksenia Chizhova

Check other viruses! Be aware! Use Antiviral Software

Nuker.a

Description Nuker.a

On 1st of any month it hooks INT 8,9, and slows down the computer (loop on each INT 8 call). When Alt-Ctrl-Del keys are pressed, the virus displays:
Your PC is working VERY SLOWLY todayall What about a good PENTIUM Processor ?
Before return to the host program the virus checks the system timer, and depending on its value displays the messages, waits for keystroke, compares that keystroke with random selected value, then the virus either returns to the host program, or erases the disk sectors:
+-ƒDANGER!+----------------------------------------------+
ƒ You are infected by ExCESS Virus (c) 1995 by The Nuker ƒ
ƒ--------------------------------------------------------ƒ
ƒ I have destroyed your FATs but I have only ONE copy in ƒ
ƒ my data area. IF YOU REBOOT NOW ALL DATA WILL BE LOST. ƒ
ƒ If this isn`t enough, I have altered your Master Boot ƒ
ƒ Record with a formatting routine in order to low-level ƒ
ƒ format the primary Hard Disk when executed. If you are ƒ
ƒ so dude and you don`t believe me, reboot now and look ƒ
ƒ at your hard disk light spinning... If you don`t want ƒ
ƒ to loose all your data then try to guess a number from ƒ
ƒ 0 to 9 and pray for your answer to be correct, else... ƒ
+--------------------------------------------------------+
You have 3 tries to guess the correct number!!!
Enter the number:
You fucking SHIT!!! You guessed the right number!!!
You are safe this time but next will come very soon
and you will not be so lucky!!!
Sorry, you didn`t entered the correct number!
Retry, and hope you lucky!!!
Hum... you are lucky this time...
Please wait while reconstructing disk structure...
I WAS JOKING! Your Hard Disk has been fucked up!!!
Thank you for choosing another product of...
TTThTeT TNTuTkTeTrT

Nuker.BitchSlap

Description Nuker.BitchSlap

This is a Win32 program that attacks remote Windows machines. It uses an error in the network support Windows library and uses it to crash the remote system by a specially prepared "Out Of Buffer" (MSG_OOB) packet that is sent to port 139.
For more information see "DoS".

Home