Virus Database

Avatar.Acid.670

Description Avatar.Acid.670

These are very dangerous parasitic viruses. Some of them corrupt disk sectors. They contain the internal texts:
"Avatar.Acid.670,674": [Binary Acid] (c) 1994 Evil Avatar
"Avatar.Acid.736": Virus ANuBiS v.1.0 (c) 1994 Æ Ü !
Realizado en Argentina [AVRL]
This is only the beginningall
"Avatar.BigBang.346": [Big Bang] (c) 1993 Evil Avatar *.COM
"Avatar.Dichotomy": [Dichotomy] (c) 1994 Evil Avatar
[Dichotomy]
"Avatar.K_Rad.561": Made in the USA
[k-rad] by Evil Avatar
"Avatar.Positron.512": [Positron] (c) 1994 Evil Avatar

Avatar.Acid
These are memory resident viruses. They hook INT 21h, and write themselves to the end of COM and EXE files that are executed. On Monday, they erase a randomly selected disk sector.
Avatar.BigBang.346
This is a non-memory resident virus. It searches for .COM files and writes itself to the end of the file. On January 1st, it corrupts the MBR of the hard drive.
Avatar.Dichotomy
This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of files that are being executed. It correctly infects COM files only, but also infects EXE files. Infected EXE files cannot replicate, they halt the system when executed.
This virus infects files by different manners. The sequence of executed files is divided into two sub-sequences - "odd" files and "even" ones. The virus splits itself into two parts (296 and 567 bytes), and writes the first part to the end of "even" files, and appends the second part to the end of "odd" files. The "even" files are infected by a standard "virus" manner: the first three bytes of the file are replaced by a "JMP Virus" instruction. The beginning of "odd" files is not changed, these files do not replicate the virus upon infection.
Upon execution of an "even" file, the first part of the virus searches for an "odd" file (its name is stored in the code of first part), reads the second part into the system memory and stays resident.
In some cases, the memory resident copy of that virus writes both parts of the code into the same file: upon infection, the files on floppies and the first part of the virus cannot locate the second one.
This is the first virus, which uses this a'la "binary arm" algorithm: this virus replicates itself if there are two infected files with different parts of the virus.
Avatar.K_Rad
It is a benign memory resident parasitic virus. It hooks INT 9 and 21h, and writes itself to the end of EXE files that are executed. By hooking INT 9, it capitalizes (on the screen) the letters that are entered via the keyboard.
Avatar.Positron
This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are executed.
The virus does not overwrite the file header with the JMP_Virus instruction, but writes it to the file middle. When the file is executed, the virus passes that call and doe not infect the file, but waits for the first INT 21h call when the file is working. When that call is detected, the virus calculates the address from where the call goes, and writes a JMP_Virus instruction there. As a result, that virus receives control not from the file beginning, but from the file middle, at the offset of first INT 21h call.
The virus may corrupt packed and some other types of files. These files halt the system when they are executed.

Check other viruses! Be aware! Use Antiviral Software

NewYear.1356

Description NewYear.1356

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. In January, from 1st till 3rd the virus decrypts and displays the message:
Happy New Year.

Nexiv_Der.3886

Description Nexiv_Der.3886

It is a very dangerous memory resident polymorphic multipartite virus. It infects the disk boot sectors and COM files only. The virus code is polymorphic in the files as well as in boot sectors.
While executing of infected file the virus infects first boot sector of the hard drive and returns to DOS. While loading from infected sector the virus hooks INT 13h, waits for DOS loading procedure, hooks INT 21h and then infects COM files that are executed and boot sectors of the floppy drives that are accessed.
While loading from infected floppy disk the virus also infects first boot sector of the hard drive.
The virus uses quite complex routine while infecting the COM files. It reads 20h bytes from the file header, checks that the file is of the COM format, hooks INT 3h, INT 13h (another one INT 13h handler), and returns the control to original INT 21h code. While reading the disk files by INT 13h the virus compares the data that is read with these 20h bytes of the file header, and waits for the moment when DOS loads the file into the system memory to execute it. Then the virus patches the first byte of data buffer with CCh code (call to INT 3), and continues INT 13h. As the result when that file is loaded into the system memory the first command that is executed is call to INT 3.
The virus intercepts that call, restores the original byte that is patched with CCh code, then hooks INT 1 (tracing) and traces the file. While tracing the virus skips 256 or more instructions, then waits for JMP or CALL instruction, and overwrites that JMP/CALL with JMP_to_virus code. Then the virus encrypts itself, and saves to the file end.
As the result the virus writes the JMP_to_virus code into the file middle, and the header of the file is not modified.
The virus different conditions while infecting the files to prevent corruption, but anyway it may corrupt the file while infecting them. While infecting the hard drive the virus destroys the C: drive system date, if the hard drive contains 20 or less sectors per track.
The virus does not manifest itself in any other way, it contains the text string:
Nexiv_Der takes on your files

Home