Virus Database

Mono.1063

Description Mono.1063

It is a very dangerous memory resident parasitic virus. IT hooks INT 21h and infects COM files that are executed, and deletes the files that are opened. It infects the memory like "Cascade" virus, but contains several errors. It installs, infects and deletes the files only upon monochrome monitor mode (7th mode), that is why this virus named "Mono". It also works under DOS 3.0 or higher only.

Check other viruses! Be aware! Use Antiviral Software

Espacio Family

Description Espacio Family

These are not dangerous memory resident parasitic viruses. They hook INT 1Ch, 21h and write themselves to the end of COM- and EXE-files that are executed. These viruses contain the data area that is the code of old game PAC-MAN, and this code is packed by PKLITE utility. These viruses unpack that game and sometimes launch it. On execution of this game the viruses hook INT 09h and on Alt-Ctrl-Del pressing they return control to interrupted program. The code of the game contains the text strings:
Recorre la Habana
Presione la tecla ESPACIO para comenzer
en busca de nuevas aventuras
Copyright: NASA-MAN 1993
Oprima ESPACIO para seguir PAC-MANeando all
oystick button FOR JOYSTICK PUNT.

Esperanto.4733

Description Esperanto.4733

This is multiplatform parasitic virus. It infects DOS COM and EXE, Windows EXE (NE) and Windows32 EXE (PE) files. It also has a part of code that looks like a MDEF Macintosh resource and seems to be also a virus for Macintosh. I see no way for that virus to spread from Macintosh to PC, and from PC to Macintosh - being executed as DOS/Win application the virus pays no attention for Mac files. It seems that the same for infected Mac programs - the virus does not pay attention for DOS/Win files. I see the only way to spread that virus from Mac to PC and back - to copy and run it "manually".
When an infected file is executed under DOS, the virus hooks INT 21h and stays memory resident. When files are executed or accessed by FindFirst/Next DOS calls, the virus infects them. The virus also searches for COM and EXE files and infects them. Being executed as Windows or Windows32 application, the virus does not leave its TSR copy in the memory - it just searches for files and infects them.
While infecting the virus parses internal file format, separates DOS COM, EXE, NewEXE and Portable EXE files and infects them in different ways: writes itself to the end of DOS COM and EXE files and modifies file header, creates new section in Windows NE files, appends itself to the last section in Windows32 PE files.
Being executed as Windows32 application the virus also checks the system time and depending on it displays the MessageBox:
[Esperanto, by Mister Sandman/29A]
Never mind your culture / Ne gravas via kulturo,
Esperanto will go beyond it / Esperanto preterpasos gxin;
never mind the differences / ne gravas la diferencoj,
Esperanto will overcome them / Esperanto superos ilin.
Never mind your processor / Ne gravas via procesoro,
Esperanto will work in it / Esperanto funkcios sub gxi;
never mind your platform / Ne gravas via platformo,
Esperanto will infect it / Esperanto infektos gxin.
Now not only a human language, but also a virusall
Turning impossible into possible, Esperanto.

The virus also contains the text strings that are used while infecting Windows32 files:
KERNEL32.DLL USER32.DLL GetModuleHandleA GetProcAddress MessageBoxA
CreateFileA CreateFileMappingA MapViewOfFile UnmapViewOfFile CloseHandle
FindFirstFileA FindNextFileA FindClose LoadLibraryA GetLocalTime

Home