Virus Database

Luce.4628

Description Luce.4628

This is a very dangerous memory resident parasitic polymorphic virus. It hooks INT 1Ch (timer) and 21h, and writes itself to the end of COM and EXE files that are executed, opened, renamed or accessed by FindFirst ASCII DOS function. If the full name (including directories) of an accessed file contains one of substrings: F77 MSFORT GAMES GAME UTIL , the virus then, depending on the current day, overwrites that file with a program that displays this message when executed:
XXXXXXX XX XX XXXXXXXXX XXXXXXXX XX XX
XX XX XX XX XX XX XX XX XX
XX XX XX XX XX XX XX XXxxXX
XX XX XX XX XXXXXXX XX XX XXXX XXXX
XX XX XX XX XX XXXXXXXx XXxxXX
XX XX XX XX XX XX XX XX XX
XXXXXXX xXXx XXXXXXXXX XX XX XX XX

This program then returns to DOS. After overwriting, the virus also erases floppy drives status in CMOS (disables floppy disks). On Mondays, the virus also overwrites the MBR of the hard drive with a program that displays this message when the system is booting up:
Hard disk destroyed by mutant-virus "LUCIFER"

Depending on the system time and date, the virus manifests itself by a video effect: it shifts the screen up/down.
The virus also contains the text strings:
Virus Luce.4619 by OVER-X.
POLYMORPHIC ALGORITHM IS CREATED BY OVER-X

Check other viruses! Be aware! Use Antiviral Software

Evolution.2761

Description Evolution.2761

This is a dangerous memory-resident parasitic polymorphic stealth virus. On execution it copies itself into UMB or conventional memory, traces and hooks INT 13h, 21h, hooks INT 9 and writes itself to the end of EXE files that are executed, renamed or closed.
On file opening the viruses execute stealth routine which opens the file, loads it into the memory and executes trace routine that runs through decryption loop and restores the original contents of the virus body including necessary fields of header of infected EXE file. Then the virus restores EXE header of infected file (by using decrypted data) and truncates it to original length, so the infected file is disinfected on opening under memory resident copy of the virus.
There are two interrupts are hooked by the virus to call trigger routines. The first one is INT 13h. On each 256th call to INT 13h with AH=2, AH=3 (read/write sector) the virus executes damage routine that sets random selected bit of data buffer to complementary value.
The second "trigger" interrupt is keyboard handler INT 09h. On entering of ALT, CTRL or DEL key the viruses check their internal counters and system timer and depending on these values display the message (the first virus displays it on Chinese), delays and reboots computer:
-=[allNOTE: partly not displayable in HTML...]Dec 1993 6-
This virus uses i386 extended registers and several other new Intel instructions. On installation the virus checks the processor mode. If processor is in real mode (DOS was loaded without such memory managers as QEMM or EMM386 and DOS session is not under MS-WINDOWS, OS-2, and so on) the virus calls special algorithm to hide itself in the memory. It moves Interrupt Vectors Table into body of viruses TSR copy (it reserves enough of memory to save code and data - about 7K) and loads address of this copy into pointer to Interrupt Descriptor Table by LIDT i386+ instruction.
As the result the processor will use that area with copy of Interrupt Vectors Table to call interrupt vectors instead of using original table which is placed at addresses 0000:0000-03FF. All addresses of interrupts will be loaded from inside of the virus (copied table) by main Intel processor. You can fill by zero original Interrupt Vectors Table but computer will work without problems - these pointers will not be used by computer, that data is free for use now.
The virus hides itself in the memory very well by that trick. Standard debugging and anti-virus utilities will not work correctly because debuggers cannot set the trace vectors INT 01/03, and antiviral utilities can not locate real addresses of "virus-alarm" interrupts INT 13h, 21h, 25h, 26h. These utilities will directly access to Standard Interrupt Table (at addresses 0000:0xxx) or access to DOS functions Get/Set Vector of INT 21h.

Evolution.2770

Description Evolution.2770

This is a dangerous memory-resident parasitic polymorphic stealth virus. On execution it copies itself into UMB or conventional memory, traces and hooks INT 13h, 21h, hooks INT 9 and writes itself to the end of EXE files that are executed, renamed or closed.
On file opening the viruses execute stealth routine which opens the file, loads it into the memory and executes trace routine that runs through decryption loop and restores the original contents of the virus body including necessary fields of header of infected EXE file. Then the virus restores EXE header of infected file (by using decrypted data) and truncates it to original length, so the infected file is disinfected on opening under memory resident copy of the virus.
There are two interrupts are hooked by the virus to call trigger routines. The first one is INT 13h. On each 256th call to INT 13h with AH=2, AH=3 (read/write sector) the virus executes damage routine that sets random selected bit of data buffer to complementary value.
The second "trigger" interrupt is keyboard handler INT 09h. On entering of ALT, CTRL or DEL key the viruses check their internal counters and system timer and depending on these values display the message (the first virus displays it on Chinese), delays and reboots computer:
-=_ Evolution 2001 Virus was done by lord Salivantis - Nov/Dec 1993 _=-
This virus uses i386 extended registers and several other new Intel instructions. On installation the virus checks the processor mode. If processor is in real mode (DOS was loaded without such memory managers as QEMM or EMM386 and DOS session is not under MS-WINDOWS, OS-2, and so on) the virus calls special algorithm to hide itself in the memory. It moves Interrupt Vectors Table into body of viruses TSR copy (it reserves enough of memory to save code and data - about 7K) and loads address of this copy into pointer to Interrupt Descriptor Table by LIDT i386+ instruction.
As the result the processor will use that area with copy of Interrupt Vectors Table to call interrupt vectors instead of using original table which is placed at addresses 0000:0000-03FF. All addresses of interrupts will be loaded from inside of the virus (copied table) by main Intel processor. You can fill by zero original Interrupt Vectors Table but computer will work without problems - these pointers will not be used by computer, that data is free for use now.
The virus hides itself in the memory very well by that trick. Standard debugging and anti-virus utilities will not work correctly because debuggers cannot set the trace vectors INT 01/03, and antiviral utilities can not locate real addresses of "virus-alarm" interrupts INT 13h, 21h, 25h, 26h. These utilities will directly access to Standard Interrupt Table (at addresses 0000:0xxx) or access to DOS functions Get/Set Vector of INT 21h.

Home