Virus Database

Murphy.Delirium.1788

Description Murphy.Delirium.1788

This is a dangerous memory resident virus. It hooks INT 8 and 21h, and infects COM, EXE and OVL files that are executed. Some time after activation, the virus "launches" several balls of different colors randomly moving around the screen (the effect is similar to the ball movement of the "Ping-Pong" virus). On Tuesday, the infected EXE files format the disks. The virus contains the following text:
(C) David Grant Virus Research 1991 PCVRF Disribuite this virus
freely!!!allah...John...Fuck You!

(c) IVRL 1991 (Ivrl Head Quarter, Milan Italy)
In November, it deletes all the current directory files, formats the hard drive and displays the following message:
Delyrium Virus - Created by Cracker Jack 1991
Copyright by Italian Virus Research Laboratory 1991
.....because the dead is not so far....and the horror will be with you

Check other viruses! Be aware! Use Antiviral Software

Markiz.1972

Description Markiz.1972

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
MARKIZ-4/³1995 [note displayed in HTML version)

This virus uses a quite complex method of infecting files: it encrypts and writes itself to the end of the file, then writes the decryption loop and jump-to-virus instruction to the file middle at the calling address to INT 21h code, which is performed as the first one when the file is executing. While infecting, the virus does not modify the file beginning (except Module Length fields in EXE header):
Not infected file Infected file
+---------------+ +---------------+
ƒall ƒ ƒ... ƒ
ƒ---------------ƒ ƒ---------------ƒ
ƒcall to INT 21hƒ ƒdecryption loopƒ
ƒ---------------ƒ ƒJMP Virus ƒ---
ƒ... ƒ ƒ---------------ƒ ƒ
ƒ... ƒ ƒ... ƒ ƒ
+---------------+ ƒ---------------ƒ<--
ƒvirus ƒ
ƒ ƒ
+---------------+

To fulfill this method, the virus intercepts all INT 21h functions. When any file is being executed (AX=4B00h), the virus turns itself to "infection mode", and returns control to the original INT 21h handler. DOS loads the file into the system memory, and passes control to the file's code. Usually the programs call different INT 21h functions, and the virus intercepts the first of such calls, gets the address of the code that performs it, calculates the offset of that code in the file, and writes its decryption routine and JMP_Virus code to the file at that address.
The virus checks the file to prevent infection of packed files and the verwriting of relocated addresses in EXE files. To do this, the virus compares the code in the memory with the code in the file before overwriting. If these codes are different, the virus does not infect the file.
To detect the termination of the program and turn off the "infection mode," the virus also hooks INT 20h and 27h. This is necessary if the file does not perform any INT 21h calls while working.

Markiz.2620

Description Markiz.2620

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
[-DEDiCA+ED-Ï0-MARKiZ-]
This virus writes itself to the beginning of COM files and to the end of EXE files that are accessed with DOS functions FindFirst/Next ASCII (AH=4Eh,4Fh). These functions are performed by DOS while executing a file from the command line, and the virus infects that file at that moment. The virus checks the file name before infecting, and does not infect the file if there are any of the following strings found at the beginning of a file name:
ADIN AID ANT DRW FIND MSA NAV VSA WEB

With a probability of 1/256 while executing the FO?MA*.EX* files (FORMAT.EXE), the virus renames them to *.?d? ('d' - 229 ASCII).
In February and October, some time after installation, the virus displays messages, and manifests itself with video and sound effects.

Home