Virus Database

Macro.Word.Sveta

Description Macro.Word.Sveta

This virus contains two macros: AutoOpen, Sveta. It replicates on opening infected documents (AutoOpen): it searches for documents in FileList (recently used files list) and infects them. So the virus is "nonmemory resident" - it is active only when infected document is being opened, and AutoOpen macro takes control. When it releases control, the virus does not intercept any events and does not infect files (if, of course, NORMAL.DOT or some another auto-loaded template is not listed in FileList).
On activating at 13 seconds (i.e. on opening an infected document) the virus displays to the StatusBar the message:
----------======> SVETA by Kid Chaos [SLAM] <=======----------

Check other viruses! Be aware! Use Antiviral Software

EVC.161

Description EVC.161

It's a dangerous memory resident overwriting virus. It hooks INT 21h and overwrites all the files that are executed. It displays:
MaKe ViRii oUT T aSS

It contains the internal text string also:
EVC 1.0

Evolution.2761

Description Evolution.2761

This is a dangerous memory-resident parasitic polymorphic stealth virus. On execution it copies itself into UMB or conventional memory, traces and hooks INT 13h, 21h, hooks INT 9 and writes itself to the end of EXE files that are executed, renamed or closed.
On file opening the viruses execute stealth routine which opens the file, loads it into the memory and executes trace routine that runs through decryption loop and restores the original contents of the virus body including necessary fields of header of infected EXE file. Then the virus restores EXE header of infected file (by using decrypted data) and truncates it to original length, so the infected file is disinfected on opening under memory resident copy of the virus.
There are two interrupts are hooked by the virus to call trigger routines. The first one is INT 13h. On each 256th call to INT 13h with AH=2, AH=3 (read/write sector) the virus executes damage routine that sets random selected bit of data buffer to complementary value.
The second "trigger" interrupt is keyboard handler INT 09h. On entering of ALT, CTRL or DEL key the viruses check their internal counters and system timer and depending on these values display the message (the first virus displays it on Chinese), delays and reboots computer:
-=[allNOTE: partly not displayable in HTML...]Dec 1993 6-
This virus uses i386 extended registers and several other new Intel instructions. On installation the virus checks the processor mode. If processor is in real mode (DOS was loaded without such memory managers as QEMM or EMM386 and DOS session is not under MS-WINDOWS, OS-2, and so on) the virus calls special algorithm to hide itself in the memory. It moves Interrupt Vectors Table into body of viruses TSR copy (it reserves enough of memory to save code and data - about 7K) and loads address of this copy into pointer to Interrupt Descriptor Table by LIDT i386+ instruction.
As the result the processor will use that area with copy of Interrupt Vectors Table to call interrupt vectors instead of using original table which is placed at addresses 0000:0000-03FF. All addresses of interrupts will be loaded from inside of the virus (copied table) by main Intel processor. You can fill by zero original Interrupt Vectors Table but computer will work without problems - these pointers will not be used by computer, that data is free for use now.
The virus hides itself in the memory very well by that trick. Standard debugging and anti-virus utilities will not work correctly because debuggers cannot set the trace vectors INT 01/03, and antiviral utilities can not locate real addresses of "virus-alarm" interrupts INT 13h, 21h, 25h, 26h. These utilities will directly access to Standard Interrupt Table (at addresses 0000:0xxx) or access to DOS functions Get/Set Vector of INT 21h.

Home