Virus Database

Lct.599

Description Lct.599

This is a benign non memory-resident parasitic virus. Upon being executed, it searches for all COM files of the current directory, and writes itself to the end of the file. On December 25th, upon being executed, the virus immediately returns to DOS. The virus contains the text string:
*.COM LiquidCode 92

Check other viruses! Be aware! Use Antiviral Software

Markiz.1972

Description Markiz.1972

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
MARKIZ-4/³1995 [note displayed in HTML version)

This virus uses a quite complex method of infecting files: it encrypts and writes itself to the end of the file, then writes the decryption loop and jump-to-virus instruction to the file middle at the calling address to INT 21h code, which is performed as the first one when the file is executing. While infecting, the virus does not modify the file beginning (except Module Length fields in EXE header):
Not infected file Infected file
+---------------+ +---------------+
ƒall ƒ ƒ... ƒ
ƒ---------------ƒ ƒ---------------ƒ
ƒcall to INT 21hƒ ƒdecryption loopƒ
ƒ---------------ƒ ƒJMP Virus ƒ---
ƒ... ƒ ƒ---------------ƒ ƒ
ƒ... ƒ ƒ... ƒ ƒ
+---------------+ ƒ---------------ƒ<--
ƒvirus ƒ
ƒ ƒ
+---------------+

To fulfill this method, the virus intercepts all INT 21h functions. When any file is being executed (AX=4B00h), the virus turns itself to "infection mode", and returns control to the original INT 21h handler. DOS loads the file into the system memory, and passes control to the file's code. Usually the programs call different INT 21h functions, and the virus intercepts the first of such calls, gets the address of the code that performs it, calculates the offset of that code in the file, and writes its decryption routine and JMP_Virus code to the file at that address.
The virus checks the file to prevent infection of packed files and the verwriting of relocated addresses in EXE files. To do this, the virus compares the code in the memory with the code in the file before overwriting. If these codes are different, the virus does not infect the file.
To detect the termination of the program and turn off the "infection mode," the virus also hooks INT 20h and 27h. This is necessary if the file does not perform any INT 21h calls while working.

Markiz.2620

Description Markiz.2620

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
[-DEDiCA+ED-Ï0-MARKiZ-]
This virus writes itself to the beginning of COM files and to the end of EXE files that are accessed with DOS functions FindFirst/Next ASCII (AH=4Eh,4Fh). These functions are performed by DOS while executing a file from the command line, and the virus infects that file at that moment. The virus checks the file name before infecting, and does not infect the file if there are any of the following strings found at the beginning of a file name:
ADIN AID ANT DRW FIND MSA NAV VSA WEB

With a probability of 1/256 while executing the FO?MA*.EX* files (FORMAT.EXE), the virus renames them to *.?d? ('d' - 229 ASCII).
In February and October, some time after installation, the virus displays messages, and manifests itself with video and sound effects.

Home