Virus Database

Messev.3158

Description Messev.3158

This is a very dangerous memory resident virus. It infects DOS COM and EXE files as well as drops a boot instance that then infects boot sectors only and is not able to infect DOS executable files. The virus is encrypted in both files and sectors, it is also stealth in both its instances.
When an infected file is executed the virus decryption routine takes control, restores the virus in its original form and passes control to the virus installation routine. The virus then traces and hooks INT 13h, 21h, infects the MBR of the hard drive and command processor pointed by the COMSPEC= instruction.
While infecting files the virus writes itself to the end of the file. It affects the files that are executed, created, opened, accessed by Get/Set file attribute function and ever deleted. The virus disinfects infected files under debugger and on writing to such files (stealth). The virus also runs stealth routines on accessing file length and time&date stamp, on executing the PKZIP, ARJ, LHA, RAR and CHKDSK utilities the virus disables these routines.
When TBSCAN anti-virus is executed, the virus appends to the end of command line options that disable TBSCAN memory and heuristic scanning. Under debugger the virus erases the hard drive sectors and reboots the computer. While infecting the MBR of the hard drive the virus erases the file:
C:WINDOWSSYSTEMIOSUBSYSHDFLOP.PDR
The boot instance of the virus infects the MBR of the hard drive and boot sector of floppy disks as ordinary boot virus. On May 2nd it erases the hard drive sectors, displays and outputs to printer the message:
Gwar virus v1.3, (c) 1998 by T-2000 / Invaders SKLSUX!Winsuck95
The virus also contains the text strings:
=[ Messev v2.10, (c) 1998 by T-2000 / Invaders ]=
MeSSeV LiVeS!
Daddy-K-tit 2 Gallyon van Vessem
This is a pretty lame virus, I only released it coz
I wanted to infect some ppl.Messev - Screwed version
If I don't passall fuck it!My gun will be your angel of mercy!
[ DEMANUFACTURE - FEAR FACTORY ]

Check other viruses! Be aware! Use Antiviral Software

Noki.448

Description Noki.448

This is a very dangerous, memory resident parasitic virus. While executing, the virus copies its code into the video memory at the address BD00:0000, and saves its code on the hard drive to sector 17 (17/0/0 - sector/track/head). Then the virus copies its INT 21h handler code (39 bytes) into Interrupt Vectors Table, hooks INT 21h, and returns control to the host file.
The virus intercepts the file execution (AX=4B00h), reads its code from hard drive sector 17 to the video memory, and jumps to there. The infection routine gains control, and infects EXE files that have the 448-bytes "cave" of zero bytes. The virus overwrites that cave, and returns from an infection routine. Thus, the file length does not grow during infection.
On the 17th of odd months (January, March,all), the virus corrupts the MBR of the hard drive. The virus contains the following text string:
NOKI

Nomad.888.a

Description Nomad.888.a

Nomad.888
It is not a dangerous nonmemory resident parasitic virus. It searches for EXE files, then writes itself to the end of the file. The virus searches for files in the current directory and in first four directories that are listed in PATH. Depending on the system timer the virus displays the message:
*******************************************************
* yO!!! I could have made some mischief to you but I *
* lEfT it out. I'm the #Nomad Virus# - Mikee's World *
*******************************************************

Nomad.1022
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus deletes the anti-virus data file ANTI-VIR.DAT. Depending on the system time the virus displays the message:
+-----ùú[Nomad By SeptiC]úù------+
: Travling through the time, :
ù Moving slowly in your files, ù
ú Knowledge is the weapon, ú
: That makes my travel fast. :
+-----ùú [-Nomad v 1.0-] úù------+

Home