Naff.821
Description Naff.821
It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of .COM files that are executed or opened. Because of bug in its polymorphic engine the virus may corrupt the files while infecting them. The virus does not manifest itself in any other way.
Check other viruses! Be aware! Use Antiviral Software
SpiceGirl Family
Description SpiceGirl Family
These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM files (except COMMAND.COM) that are accessed. The viruses are encrypted starting from 1619 bytes version. Starting from 2123 bytes version they are semi-stealth - on opening an infected file they create temporary file, write to there disinfected copy of original file, and return "handle" of disinfected copy instead of original file. On closing these viruses delete the temporary file.
The viruses use new way to avoid detection - the infected files have no entry point (start code). The address of entry point in infected files is out of file body and it is impossible to reach virus code by parsing EXE header. To realize this method the virus uses several PSP (Program's Segment Prefix) and EXE header tricks.
The format of virus code is EXE, i.e. the virus as a program is EXE program with EXE header, relocation table and so on (as a result infected COM files are of EXE internal format). EXE header fields in virus (initial CS and IP) are patches so, that entry address points not to file code, but to PSP data (i.e. out of file). At that address PSP contains RET FAR code that follows the call to INT 21h handler. So, the virus entry address points to RET FAR code, and control then will be passed to code that is pointed by stack. To pass the control to its real entry code the virus has initial stack registers (SS and SP) in its EXE header and stack data that points to real entry:
+------------+ PSP Control flow
0000 ¦CD 20 ¦
all. ¦ ¦ ¦
0050 ¦CD 21 ¦ ¦
0052 ¦CB / RET FAR¦ Entry address, DOS will <-----+
.... ¦ ¦ bring control to here -----+
¦
0100 +------------+ Virus code (file image) ¦
¦ ¦ ¦
¦------------¦ ¦
¦Stack ¦ Stack data points to ---->¦
¦ ¦ real entry ¦
¦------------¦ ¦
¦ ¦ Real virus entry code <-----+
¦ . . . ¦
The virus contain the text strings:
What? 'Error: invalid program'? Me? Fprot, are you crazy? :)
And you, Avp, 'EXE file but COM extension'. What a deep scan. ;)
Spice_Girls virus causes problems to your scan engine eh? :)
Spirit.1710
Description Spirit.1710
It is a dangerous memory resident parasitic virus. It traces and hooks INT 21h, then it writes itself to the beginning of COM and to the end of EXE files that are accessed. The virus checks the file name and does not infect the files:
COMMAND.COM F-PROT F-TEST VIR DIR2CLR
IMV ANTI DOCTOR SCAN CLEAN IVC CHKDSK
Depending on the system date and time the virus erases some sectors of the hard drive. The virus also contains the text strings:
COMEXE
** (C) The Evil Spirit ** Gabrovo city, Bulgaria. Last_change : 28.05.1993
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Sports Fan
Barcode Scanners
|