Virus Database

Macro.Word.MDMA

Description Macro.Word.MDMA

Macro.Word.MDMA is an encrypted virus, it contains only one macro AutoClose and infects the system and files on closing a file.
On 1st of any month the virus corrupts the files depending on the installed system and then display the message box with the text:
MDMA_DMV
You are infected with MDMA_DMV.
Brought to you by MDMA (Many Delinquent Modern Anarchists).

Under Windows the virus deletes the C:SHMK file and overwrites the C:AUTOEXEC.BAT with the commands:
@echo off
deltree /y c:
@echo You have just been phucked over by a virus

As a result after rebooting all files in all subdirectories will be deleted.
Under Windows NT the virus deletes all files in the root directory as well as the C:SHMK file.
Under Macintosh the virus deletes the files in system directory(?).
Under other systems (Windows 95) the virus deletes the C:SHMK file and all *.HLP files in C:WINDOWS directory. The virus then sets some private profile strings and deletes all *.CPL files in C:WINDOWSSYSTEM directory.

Check other viruses! Be aware! Use Antiviral Software

Omi.986

Description Omi.986

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .EXE files that are executed. On every 16th installation the virus fills the screen with the text: "OMI".

OneHalf family

Description OneHalf family

These are dangerous memory resident polymorphic multipartite viruses. Being executed they infect the MBR of the hard drive. On loading from infected disk they hook INT 13h, 1Ch, 21h and write themselves to the end of COM and EXE files that are accessed. While infecting a file they check its name, and do not infect the files: SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV, CHKDSK.
The virus' decryption routine is divided in several parts that are placed at random offsets in infected files (see "Bomber" virus).
While infecting the hard drive "OneHalf" checks the Partition Table, looks for the last DOS partition - DOS logical disk (FAT-12/FAT-16/BIGDOS), or extended partition, and calculates the first and last cylinders numbers of that disk/extended partition.
It saves the pointer to the last cylinder at the offset 29h in HD MBR. On each booting from HD the virus decreases that pointer with two, and encrypts two cylinders to where that pointer points. On first booting from HD the virus encrypts last two cylinders, on next booting - plus 2 from the end, and so on. So on working the "spot" at the end of the last logical disk/partition grows on 2 cylinders on each booting.
When that "spot" reaches the middle of the disk/partition, the virus may display (according to other conditions: on 4th, 8th, 10th, 14th, 18th, 20th, 24th, 28th and 30th of each month, and if the generation of the virus is even):
Dis is one half.
Press any key to continueall

After loading into the system memory the virus decrypts/encrypts these sectors "on-the-fly", and the corrupted sectors appears in their original form, but after disinfection all the encrypted data is lost.
"OneHalf.3518" does not use polymorphic engine to encrypt itself. It displays:
A20 Error !!!
Press any key to continue ...

"OneHalf.3544.b" does not infect the files: AIDS*.*, ADINF*.*, DRWEB*.*, ASD*.*, MSAV*.*. That virus displays:
Dis is TWO HALF.
Fucks any key to Goping...

"OneHalf.3544.c" does not encrypt the hard drive sectors, this virus displays:
Disk is Tpu half.
(Bepx, Hu3 u Pe6po)

The viruses also contain the strings:
"OneHalf.3544.a": Did you leave the room ?
"OneHalf.3544.b": User is loh !
"OneHalf.3577": DidYouLeaveTheRoom?

OneHalf.Madjid
This virus is not encrypted one, but it encrypts hard drive sectors as well as original "OneHalf". This virus displays the text:
OHHHHH... MADJID
Here is very dark.
HELP ME... HELP ME... HELP...
I am here .They kill the love .I am solitary .
Press RETURN for continue

Home