Virus Database

Net-Worm.Win32.Mytob.w

Description Net-Worm.Win32.Mytob.w
This network worm infects computers running under Windows. The worm itself is a PE EXE file written in C++. The packed file is 49281 bytes in size, and the unpacked file is approximately 240KB in size. The worm spreads via the LSASS vulnerability, detailed in Microsoft Security Bulletinall

Check other viruses! Be aware! Use Antiviral Software

Frizer.987

Description Frizer.987

It is a harmless nonmemory resident parasitic virus. It searches for .COM files, then moves the file header to the end of the file and writes blocks of its code to the top and to the end of the file. The virus contains the text string:
[ Spreader beta2 by FRiZER ]

The virus has unusual structure and algorithm of infection. First of all, the virus has two blocks of code. First block (that is placed to the top of file while infection) contains entry code, INT 1 and INT 3 handler and instructions table (see below). The second block of virus code (that is placed at the end of infected files) contains instructions that are used when the virus searches for file and infects them, i.e. second block is the virus infection routine.
The main feature of this virus is the way that the virus uses to run its infection routine. The assembler instruction that are placed there are not in usual order (first find file, then open it, then read data e.t.c.), but in some semi-compressed form: many necessary instructions do not present there, they do not present there if the same instruction already used in virus code.
For example, the virus uses INT 21h DOS call to allocate blocks of memory. When the virus should call other DOS functions, the necessary INT 21h calls are not in the virus code - they are missed, and the virus code looks like this:
MOV AH,48h ; allocate a block of memory
INT 21h ; DOS call
all
MOV AH,1Ah ; set DTA
MOV DX,DI ; no DOS call
MOV AH,4Eh ; find first file
MOV CX,0020h
JNC ... ; no DOS call

To run this strange code the virus uses instructions table from the first block of its code. This table contains sequence of pointers to instructions that should be executed. To run above code the virus has list of pointers like this one:
pointer to MOV AH,48h
pointer to INT 21h
...
pointer to MOV AH,1Ah
pointer to MOV DX,DI
pointer to INT 21h ; points to the same INT 21h as above
pointer to MOV AH,4Eh
pointer to MOV CX,0020h
pointer to INT 21h ; points to the same INT 21h as above
pointer to JNC ...

To run its infection routine the virus gets pointer by pointer and passes the control to corresponding instructions. To execute exactly one instruction the virus uses INT 1/3 debugging tricks.
As a result the infection code contains only one copy of each instruction (but there are few exceptions), if the virus needs to execute an instruction that was already used, it just passes control to the same pointer. So the virus does not need to keep its instruction twice (by the way that makes its code quite difficult to understand) - it just uses the same pointers in its table.
Moreover, the virus does not store in its second block of code instructions that present in host file. While infecting a file the virus scans its body for instructions that may be found in its infection routine and uses pointers to the original file code instead of its own one (so while infection a file its length might grow by less value that the virus length)
As a result the virus uses code from infected programs - it simply sets to there pointers in instructions table and does not store these instructions in its second block of code. So the virus not just infects files, but "integrates" its code with code of infected programs.

Frodo.a

Description Frodo.a

This is a memory-resident stealth virus, 4096 (1000h) bytes long. It infects files upon execution or closing. Contamination of data-files is also possible. The virus completes its copy in such a way that the size of an infected file will grow exactly by 4096 bytes (see "Eddie.2000"). In infected files, the virus makes the time of the last modification increase by 100 years. In COM-files, it alters the first 6 bytes, and in EXE-files it alters the header.
Upon entering the files, "Frodo" uses the true values of interrupt vectors 13h and 21h, which it receives using the "Yankee":algorithm. In addition to this, "Frodo" modifies the first 5 bytes of the INT 21h handler.
When creating its TSR-copy, the virus occupies the top addresses that results in infecting the COMMAND.COM file. "Frodo" sets the owner address in its MCB, coinciding with the address of the first MCB owner in the system, masking it in such a way as DOS. Later, the copy of the virus might move through the memory in the direction of lower addresses, allocating new memory areas and clearing old ones.
A genuine stealth virus: intercepts INT 21h, handles 20 (!) functions of it (FindFirst, FindNext, Read, Write, Lseek, Open, Create, Close, Exec etc.) and effectively masks itself. When DOS tries to access an infected file, the virus substitutes its original length and the last modification time. Upon reading or loading a file into the memory, it modifies the information read from the disk in such a way that the file appears as though it is uninfected. Upon opening an infected file for writing, the virus cures it (because writing to the file might delete part of the virus), and reinfects it upon closing.
The virus runs itself from September 22nd until December 31st every year. It is not known how the virus runs itself, because the corresponding area of the virus code happens to be deleted. It may be assumed that the virus deletes the Boot-sector of a floppy-disk and the MBR-sector of the hard disk, writing its own code there. Upon rebooting from such a disk, the screen displays (using pseudo-graphic symbols) the message "FRODO LIVES!" in large letters.

Home