Virus Database

Lemena.3544

Description Lemena.3544

It is not a dangerous memory resident parasitic polymorphic virus. It copies itself to the video memory at address BC00:0000, hooks INT 22h (Terminate call), returns control to host program, waits for termination and hooks INT 21h. To hook INT 21h the virus patches the DOS kernel. The virus then writes itself to the end of COM and EXE files that are executed, opened or accessed by Get/Set File Attributes DOS call.
To hide itself in the system memory the virus uses a quite complex way. When any program is executed, the virus allocates a block of XMS memory, moves its code to there, then copies its INT 22h handler to DOS kernel (the virus looks for a cave in there). The virus then releases INT 21h, hooks INT 22h, erases its TSR copy in the video memory and releases control. As a result, when any program (including anti-viruses) are active, there are no virus code in the DOS memory. The main part of virus code (encrypted) is placed in the XMS memory, and INT 22h handler is "waiting" for the Terminate call to restore "status quo" (move virus code from XMS to the video memory and to re-hook INT 21h).
The virus also uses anti-debugging tricks as well as on-the-fly encryption: the virus decrypts its subroutines before calling them, and encrypts after return from subroutine.
The virus does not infect anti-virus programs -V.EXE, ADINF, AIDSTEST, AVP, CPAV, and so on according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE

The virus deletes the anti-virus databases: ANTI-VIR.DAT, AVP.CRC, CHKLIST.CPS, CHKLIST.MS, CHKLIST.TAV, CRC.SVS, FILES.VVL FINGERP.VVF IM.PRM IVB.INI, IVB.NTZ, MSAV.CHK, SMARTCHK.CPS, AV.CRC, BOOT.CPS, BOOT.MS, BOOT.NTZ, BOOT.TAV, IV.INI, PART.NTZ
According to its random counter the virus displays the texts:
LEMENA'97
BOKEPH'97

The virus also contains the text strings:
TBDRVXXX
[LEMENA'97] by Bokeph from Batavia, Indonesia
[MENA]

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Katty

Description Macro.Word.Katty

This is a very dangerous macro-virus containing only one macro AutoOpen and infecting the global macro area upon opening an infected document. It writes itself to other documents when they are being opened.
On May 11th, it displays the following message:
Happy Birthday My Dear Katty!
I Love You!

On August 3rd, it displays:
Today Is My Birthday!
Happy Birthday Maverick!

On the 25th of any month, it deletes the files with the following masks:
C:*.bat
C:*.sys
C:windows*.dll
C:windows*.exe
C:windowscommand*.com
C:windowscommand*.exe
C:windowscommand*.vxd

The virus then displays the message "Ha-Ha!!!"

Macro.Word.Kerranga

Description Macro.Word.Kerranga

This is a very dangerous virus. It contains five macros: Autoexec, FileSaveAs, FileOpen, FilePrintDefault, ToolsMacro.
On Autoexec the virus disables Word virus protection, if it presents in the Tools/Options/General menu, as well as prompt on NORMAL.DOT saving. On FileOpen and FileSaveAs the virus runs its infection routine. On ToolsMacro the virus opens 65 new documents, but does not execute original Tools/Macro menu. On FilePrintDefault on 18:00 the virus appends to the end of document the text:
Kerbaffely Urgo Kerranga! Kerranga!!!!

Then it deletes all *.DOC files in the current directory.

Home