Markiz_II Family
Description Markiz_II Family
These are not dangerous parasitic viruses. "Markiz.1024" is a nonmemory resident virus. It searches for EXE files and writes itself to the end of the file. "Markiz.2642" is an encrypted memory resident virus. It hooks INT 21h and infect files that are executed. It writes itself to the beginning of COM and to the end of EXE files except files (anti-viruses): AIDS, ANTI, WEB, -V, SCAN, VSAFE, MSAV, NAV.
On 28th of any month "Markiz.1024" displays the message:
Virus ***MARKIZ-1*** for EXE files specification.
(C) by PLcat /demo version 1.0/
Was great in Almaty, Kazakhstan, 28.12.94. Good luck!
Under debugger "Markiz.2642" displays the message and reboots the computer:
+------------------------------------------------------------+
¦ Virus *** MARKIZ-2 *** for COM&EXE&OVL files specification ¦
¦ (C) by PLcat, version 2.0 /experimental version/ ¦
¦ Created in Almaty, Kazakhstan, 21.05.95. ä" ¡"óds óßGaÑt! ¦
+------------------------------------------------------------+
This virus also hooks INT 8 (timer) and in some time displays the picture:
+------------------+
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦/¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦/ ¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦--¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ ¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
¦ M A R K I Z -- 2 ¦
+------------------+
Depending on the system date it also hooks INT 9 (keyboard) and on Alt-Ctrl-Del (warm reboot) manifests itself by a video effect.
Check other viruses! Be aware! Use Antiviral Software
Orphan.174
Description Orphan.174
It is a very dangerous memory resident multipartite virus. When an infected file is executed, the virus inserts its code into the MBR of the hard drive - the virus copies its code into free space in the MBR and patches the code of bootstrap loader to get control. Such way of infection is correct only for standard bootstrap routine, in case of specific code the virus will corrupt the MBR and the system will halt on next rebooting.
On loading from infected MBR the virus copies itself into Interrupt Vectors Table, hooks INT 13h and overwrites EXE files on floppy disks (when files are copied on floppy disk).
OS2.AEP.a
Description OS2.AEP.a
It is a harmless nonmemory resident parasitic NewEXE (OS/2) virus. It searches for EXE and DLL files, checks them for an NE stamp, then checks the OS/2 marker in the NewEXE header. Next, the virus obtains the number of the code segment that is the entry point segment, shifts down all other segments, then increases the length of the entry point segment, and writes its code there. Then the virus fixes the relocation and name tables and returns the control to the host program.
Clean File Infected File
+----------------+ +----------------+
ƒMZ DOS Header ƒ ƒMZ DOS Header ƒ
ƒ----------------ƒ ƒ----------------ƒ
ƒNE NewEXE Headerƒ ƒNE NewEXE Headerƒ
ƒ----------------ƒ ƒ----------------ƒ
ƒSystem Tables ƒentryƒ ƒSystem Tables ƒ
ƒ----------------ƒpointƒ ƒ----------------ƒ
ƒSeg 1 ƒ<----+ ƒSeg 1 ƒ<--+
ƒ ƒ ƒ ƒ ƒ
ƒ----------------ƒ --+ ƒ- - - - - - - - ƒ<---- entry point
ƒSeg 2 ƒ ƒ ƒVirus ƒ ƒ
ƒ----------------ƒ ƒ ƒ ƒ---+ returns to original
. . . +--> ƒ----------------ƒ entry point
ƒ----------------ƒ ƒSeg 2 ƒ
ƒSeg n ƒ ƒ----------------ƒ
+----------------+ --+ . . .
ƒ ƒ----------------ƒ
ƒ ƒSeg n ƒ
+--> +----------------+
This is the first known virus that affects OS/2 files in the "right way" - it writes itself to the file and modifies the NewEXE header and other system areas.
While infecting a file, the virus uses the system calls:
DosAllocSeg DosFreeSeg DosChgFilePtr DosClose DosFindFirst DosFindNext
DosOpen DosRead DosWrite
The virus contains the text strings:
(C) 1995 American Eagle Publications Inc., All rights reserved.
*.EXE *.DLL DOSCALLS
Text added: June-26-1996
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|