Virus Database

Olivia.3378

Description Olivia.3378

This is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. Duplicate infection is possible. In some cases, the virus writes the "jump-to-virus" instruction to the middle of COM files. The virus checks the names and do not infect the following files:
4DOS, COMMAND, WIN, EMM386
The virus uses anti-debugging tricks and disables several anti-virus resident monitors. On April 10th it launches its trigger routine. This routine checks the CD-ROM installed and displays the following message:
please put a love music CD into your CD-ROM
and pass any key to continueall
Then it summons several system CD-ROM access functions (plays CD-ROM?). Then the virus displays some text (possibly in Chinese) including the text:
By André '97/1/30
In addition to listed above, it also infects Windows32 PE executable files. The virus writes its code to the end of the file in the newly created section, and modifies PE header. The virus does not spread itself from PE files. It just summons some Windows Kernel function (displays a text?), and returns to the host program. The virus has bugs and corrupts PE files while infecting them. When infected files are executed, Windows displays a standard error message, and terminates the infected application.
When an infected DOS file is executed, the virus hooks INT 21h and infects files that are accessed. When ARJ, RAR, PKZIP, LHA, BACKUP, MSBACKUP, CPBACKUP, CHKDSK or XCOPY utilities are executed, the virus disables its infection and semi-stealth routines. When VT* or PV* files are executed, the virus temporarily hooks INT 10h for an unknown reason.
The virus calls its trigger routine to play a CD disk on April 10. Before playing the CD, it displays the following message:
Put a Audio-CD into the CD-ROM, and it any key...
The virus also contains the text:
Olivia Virus 6.00.95a

Check other viruses! Be aware! Use Antiviral Software

Asterisk

Description Asterisk

It is a dangerous memory resident boot virus. It copies itself at the address 7000:7C00 (it causes system crash in a lot of cases), hooks INT 13h, 17h and writes itself into MBR of hard drive and floppy boot sectors. In some cases it plays with the printer, and displays the asterisk '*'.

Astra Family

Description Astra Family

Astra.498,510,521
These are not dangerous memory resident parasitic viruses. They move themselves into Interrupt Vectors Table at the address 0020:XXXX, hook INT 21h and infect SYS-files of the current directory on every call to DOS function FindFirst. The viruses write themselves at the file end, in which they modify only interrupt subroutine address.
The viruses of this family contain the text "(5)" and depending of the virus version one of the following strings:
(C) AsTrA,1990,JPN
(C) AsTrA,1990
(C) AsTrA,JPN
(C) AsTrA, 1991

The infectors display one of the messages:
I like cold flavour !
I like fragrant smell of flower!
I like a flower's smell!

"Astra.7821" displays a picture in graphic video mode.
Astra_II viruses
These are dangerous memory resident encrypted parasitic viruses. On execution they search for not infected files and hit them, hook INT 21h and stay memory resident. Then these viruses infect the files are executed. "Astra_II.505,882,976" hit COM-files only, other "Astra_II" viruses hit both COM- and EXE-files, "Astra_II.1556" hits COM-, EXE- and SYS-files.
In depending of system timer they encrypt (XOR 55h) Disk Partition Table of hard drive's MBR, then some of them change video font table. They contain the internal strings:
"Astra_II.505": (C) AsTrA, 1991 (1)
"Astra_II.882,976": (C) AsTrA, 1991 (2)
"Astra_II.927": (C) AsTrA, 1991 Child's Play (3)
"Astra_II.1010": (C) AsTrA, 1992 (3)
"Astra_II.1556": Child's Play (C) AsTrA
4D *.COM *.EXE *.SYS (4)

Home