Virus Database

Lotus.2407

Description Lotus.2407

It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus disables VSafe and ThunderByte anti-viruses in the memory and does not infect the files (anti-viruses) with names starting with: TB, F-, FV, IB, VS, IM, SC, MS, DE.
The virus contains the text strings:
TBF-FVIBVSIMSCMSDE
Black Lotus virus ver 2.0 Created by: Killer Bee. Finished on 96-08-15
i'm losing ground you know how this world can beat you down i'm made of
clay i fear i'm the only one who thinks this way i'm always falling down
the same hill bamboo puncturing this skin and nothing comes bleeding out of
me just like a waterfall i'm drowning in 2 feet below the surface i can
still make out your wavy face and if i could just reach you maybe i could
leave this place i do not want this i do not want this don't you tell me
how i feel don't you tell me how i feel you don't know just how i feel i
stay inside my bed i have lived so many lives in my head don't tell me that
you care there really isn't anything, is there? you would know, wouldn't
you? you extend your hand to those who suffer to those who know what it
really feels like to those who've had a taste like that means something and
oh so sike i am and maybe i don't have a choice and maybe that is all i
have and maybe this is a cry for help i do not want this i do not want this
don't you tell me how i feel don't you tell me how i feel you don't know
just how i feel i want to know everything i want to be everywhere i want to
fuck everyone in the world i want to do something that matters.'i do not
want this' NIN -trent reznor

Check other viruses! Be aware! Use Antiviral Software

April1st (SURIV) Family

Description April1st (SURIV) Family

April1st.COM family
These are dangerous memory resident parasitic viruses. On installation into the system memory these viruses use the part of "Jerusalem" virus scheme. These viruses hooksINT 21h and write themselves at .COM-files beginnings on execution of such files. They do not hit the COMMAND.COM file. They do not check file length and corrupt some files instead of infection. On infection they:
create temporary TMP$$TMP.COM file;
write themselves into that file;
write to that file host file body;
delete the host file;
rename TMP$$TMP.COM back to original name.
The viruses manifest themselves by video effects. On April, 1st "April1st.COM.a,b" displays the message: "APRIL 1ST HA HA HA YOU HAVE A VIRUS", and halts the system. On the following days the viruses report: "YOU HAVE A VIRUS !!".
On July, 5th "April1st.COM.b2" displays: "ENGLISH SUCKERS DIE IN BUENOS AIRES!". They contain the internal texts: "COMMAND.COM", "TMP$$TMP.COM" and:
"April1st.COM.a": sURIV 1.01
"April1st.COM.b": Suriv 4.02
"April1st.COM.b2": cOcK!sUcKrI
MADE IN ARGENTINA91

April1st.EXE
This is a dangerous memory-resident file virus that affects .EXE-files on their execution. It is dangerous because it works incorrectly with the file length. On infection the virus incorporates into the middle of the file between the EXE header and the executable module. While infecting the virus:
creates the TMP$$TMP.EXE file;
reads from an infected file the first 1Bh bytes of the header, modifies those bytes that correspond to the module length, start values CS, IP, SS, SP, check sum of the file (value 1984h is set); then writes the modified header into TMP$$TMP.EXE;
copies the relocation table from the infected file into TMP$$TMP.EXE, modifying it by the method described below;
adds to TMP$$TMP.EXE both the copy of the virus and the executable module of the infected file;
deletes the infected file;
gives the name of the infected file to TMP$$TMP.EXE;
Uninfected file Infected file
+-----------+ +-----------+
¦EXE header ¦ -------> ¦EXE header ¦
+-----------¦ +-----------¦
¦Executable ¦ ---+ ¦Virus ¦
¦module ¦ ¦ ¦ ¦
¦ ¦ ¦ +-----------¦
¦ ¦ -+ +---> ¦Executable ¦
+-----------+ ¦ ¦module ¦
¦ ¦ ¦
+-----> ¦ ¦
+-----------+

The file executable module when being infected is shifted some bytes equal to the length of the virus, so the virus has to modify respectively the relocation table: the bytes in every element of the relocation table, corresponding to the segment shift, are increased by the amount, equal to the virus length in paragraphs.
On creating its memory-resident copy the virus uses a part of the "Jerusalem" virus scheme. Since April 1, 1988 the virus deciphers (XOR FFh) and displays the text: "APRIL 1ST HA HA HA YOU HAVE A VIRUS". Then it hangs up the system. On the following days the text does not appear, but approximately 55 minutes after the system is activated it hangs up. The virus hooks INT 21h and depending on the current date might hook INT 1Ch. The virus contains the strings "sURIV" and "TMP$$TMP.EXE".
AntiD
"April1st.COM" family. This virus hooks INT 9 and after the 32th pressing the 'D'-key this key 'mutes': the code of this key is not inserted into the keyboard buffer.

April30.419.a

Description April30.419.a

It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for COM files, then writes itself to the end of the file. On April 30th the virus displays the message:
"NightBird goes,
Along with the Queenall"

The virus also contains the text string:
*April 30 Virus*

Home