Virus Database

Autumnal.3072

Description Autumnal.3072

It is a very dangerous memory resident multipartite virus. It infects the MBR of the hard drive and writes itself to end of .COM and .EXE files. While executing an infected file the virus infects the MBR, hooks INT 8, 13h, 21h and stays memory resident by DOS call Keep (INT 27h). While loading from infected disk the virus decreases the size of the system memory (the word at the address 0000:0413), hooks INT 8, 13h, waits for DOS loading, then hooks INT 21h and restores the size of the system memory to hide its TSR block.
While accessing to the files by DOS functions Exec, Open, Rename, FindFirst/Next both FCB and ASCII the virus infects the files except CO*.* and IB*.*. While accessing to infected MBR the virus calls the stealth routine. When an infected file is loaded for debugging, the virus disinfects it. If and error occurs while disinfecting, the virus displays the message:
Error in File

The virus uses anti-debug tricks. On July 13th it deletes the files instead of infecting them.
The virus contains the text strings:
Ver 4.00
(C)Copyright Autumnal Water Corp. 1991

Check other viruses! Be aware! Use Antiviral Software

BootExe.331

Description BootExe.331

This is memory-resident harmless virus which hooks INT 13h and writes itself into EXE files and boot sectors of disks. The boot sector of the hard disk get infection when an infected file is started, the boot sector of floppies - during a reading from them. The original boot sector is saved on the hard disk at the location 0/0/11 (head/track/sector), on a floppy - at the location 1/0/3.
EXE files are infected in quite an original way: the virus analyzes the information read from the disk (INT 13h). If in the sector read from the disk there is an EXE file header (the first two bytes are 'MZ' and some conditions are also met) the virus writes itself into empty space in this header and saves the modified sector on the disk. It means: a) an infected file has the same length; b) no necessity to handle file attributes and time of its creation and fatal errors (INT 24h). The virus doesn't manifest itself in any observable way.

BootExe.Stalker.310

Description BootExe.Stalker.310

This is memory-resident harmless virus which hooks INT 13h and hits MBR of hard drive. After infection of hard drive the computer hands. After loading from infected hard drive the virus starts to infect EXE files.
EXE files are infected in quite an original way: the virus analyzes the information read from the disk (INT 13h). If in the sector read from the disk there is an EXE file header (the first two bytes are 'MZ' and some conditions are also met) the virus writes itself into empty space in this header and saves the modified sector on the disk. It means: a) an infected file has the same length; b) no necessity to handle file attributes and time of its creation and fatal errors (INT 24h). The virus doesn't manifest itself in any observable way.
It contains the encrypted string:
*Stalker*

Home