Virus Database

Arya.4616

Description Arya.4616

This is a very dangerous memory resident encrypted multipartite virus. It infects the MBR of the hard drive, COM and EXE files. When an infected file is executed, the virus infects the MBR of the hard drive, hooks INT 13h and 21h, and stays memory resident. While loading from an infected disk, the virus hooks INT 1Ch and 13h, waits for the DOS loading process, and hooks INT 21h.
INT 1Ch handler is used by the virus to hook INT 21h. The INT 13h handler contains a stealth routine that is executed upon accessing the infected MBR. INT 21h contains a file infection routine - the virus writes itself to the middle of COM and EXE files that are accessed. Upon changing the current directory and upon deleting files, the virus also searches for COM and EXE files and infects them. After infecting a file, the virus deletes the CHKLIST.MS file, if it exists. The virus does not infect the following files:
CHKDSK.*, COMMAND.COM, EMM386.*, POWER.* INTERLNK.*, MCA.*, MSCDEX.*,
SHARE.*, CERT.*, TOOLKIT.*, GUARDMEM.*, GUARD.*, SCAN.*, CLEAN.*,
FINDVIRU.*, FV*.*, TB*.*, CLEANPAR.*, CLEANBOO.*, VSAFE.*, MSAV.*, NAV.*,
VALIDATE.*, VSHIELD.*, VIVERIFY.*, IMENSCAN.*, TAROMAR.*

Depending on the system date, the virus displays the message:
Arya V1.0
This is the most Powerfull and Technical Iranian program all
Azad University of Lahijan .
Sig: - 17FSAK - ( 1996 )

On the 13th beginning from June, the virus overwrites .DBF, .ZIP, .LZH, .GIF, .DAT, PCX and .GN files with the same message. The virus calculates the CRC sum of its code, and if this sum is wrong, the virus erases the CMOS. The virus has bugs and may halt the system.

Check other viruses! Be aware! Use Antiviral Software

Before.2915

Description Before.2915

It is not a dangerous memory resident parasitic virus. The virus was written in Assembler and its actual code is 1164 bytes, but after that virus author compressed it with AIN executable files compressor, and result virus code (compressed actual virus code and decompression routine) grows up to 2915 bytes.
The virus hooks INT 21h and writes itself to the beginning of COM and EXE files that are executed. The virus does not infect the files: CO*, WI*, EM*, SH*, GD* (COMMAND, WIN, EMM386, all). Depending on the system time and video mode the virus disables executing files (does not allow to start games?). The virus contains the text strings:
COWIEMSHGD
BEFORE.CE.1136 (C) PC Soft Club

Bel.2124

Description Bel.2124

It is a very dangerous memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or opened. The virus checks file names and does not infect files: CO*, DR*, WE*, AI*, AD*, VB*, AV*, HI*, CH*, CC*. Depending on the system date the virus deletes files with extensions: .CFG, .TIC, .PAC, .PAK, .SAV, .WAD and some other.
The virus contains the text strings:
* reBEL.P1 * üâô (Belarus).
Hi, Mr. Kolyada!

Home