Virus Database

Nail

Description Nail

It is a not dangerous memory resident stealth boot virus. It hooks INT 13h and writes itself into MBR of the hard drive and floppy disk sectors. On loading it forces DOS to allocate unused block of memory, and copies itself into there, so that virus does not decrease the RAM size word at the address 0000:0413. In 1996 it decrypts and displays the message:
Heal the world all

Check other viruses! Be aware! Use Antiviral Software

Mark13.782

Description Mark13.782

It is a dangerous memory resident parasitic virus. It hooks INT 21h and on disk access calls searches for *.COM files and writes itself to the end of the file. While installing into the system memory the virus copies its code to the address 9000:0100 without fixing memory allocation blocks, that can halt the system.
The virus contains the text:
MARK13-Review

Markiz.1972

Description Markiz.1972

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
MARKIZ-4/³1995 [note displayed in HTML version)

This virus uses a quite complex method of infecting files: it encrypts and writes itself to the end of the file, then writes the decryption loop and jump-to-virus instruction to the file middle at the calling address to INT 21h code, which is performed as the first one when the file is executing. While infecting, the virus does not modify the file beginning (except Module Length fields in EXE header):
Not infected file Infected file
+---------------+ +---------------+
ƒall ƒ ƒ... ƒ
ƒ---------------ƒ ƒ---------------ƒ
ƒcall to INT 21hƒ ƒdecryption loopƒ
ƒ---------------ƒ ƒJMP Virus ƒ---
ƒ... ƒ ƒ---------------ƒ ƒ
ƒ... ƒ ƒ... ƒ ƒ
+---------------+ ƒ---------------ƒ<--
ƒvirus ƒ
ƒ ƒ
+---------------+

To fulfill this method, the virus intercepts all INT 21h functions. When any file is being executed (AX=4B00h), the virus turns itself to "infection mode", and returns control to the original INT 21h handler. DOS loads the file into the system memory, and passes control to the file's code. Usually the programs call different INT 21h functions, and the virus intercepts the first of such calls, gets the address of the code that performs it, calculates the offset of that code in the file, and writes its decryption routine and JMP_Virus code to the file at that address.
The virus checks the file to prevent infection of packed files and the verwriting of relocated addresses in EXE files. To do this, the virus compares the code in the memory with the code in the file before overwriting. If these codes are different, the virus does not infect the file.
To detect the termination of the program and turn off the "infection mode," the virus also hooks INT 20h and 27h. This is necessary if the file does not perform any INT 21h calls while working.

Home