Virus Database

Peru

Description Peru

It is a dangerous boot virus. It hooks INT 13h and writes itself to the boot sector of hard drive and floppy disks. It infects the hard drive while loading from infected floppy drive and affects floppy disks that are accessed. Because of an error while infecting floppy disks the virus writes original boot sector to one of the FAR sectors. That may corrupt data on disk.
After five infections the virus displays the message:
No Existe Otra Mujer Como JOHANA

The virus also contains the text:
Peru

Check other viruses! Be aware! Use Antiviral Software

Mbd.1258

Description Mbd.1258

These are not dangerous memory resident encrypted parasitic viruses. They hook INT 8, 21h and write themselves to the end of COM and EXE files that are executed. The viruses do not infect the files: DRWE*, AIDS*, AV*, ADIN*, COMM* (DRWEB, AIDSTEST, AVP, ADINF, COMMAND.COM).
The virus TSR copy occupies just 232 bytes of the memory - while installing memory resident the virus saves its complete code to reserved hard drive sectors (on zero track) and reads that code from there in case of need (on infecting). The virus leaves its TSR copy (INT 8 and INT 21h handlers) in DOS data area at address 0060:0000. As a result, the virus is active, but it does not occupy conventional memory and it is not visible by any memory browser.
Depending on their internal counters the viruses dial the phone number 02 (police line in Russia) or 113. The viruses contain the text string:
Virus-MENT, v1.0 (C) MBD Poccuu. XI.1996 #

"Mbd.1317" has several strings in Russian, "Mbd.1258" contains they translated to English:
# HELLO, POLICE ! I`M, DIRTY USER, HAVE STEAL BILLY`S WINDOWS !
# POLICE OF THE WORLD, HANDS OFF FROM CYBERSPACE !

MBP.Kynel

Description MBP.Kynel

The first known virus to infect MapInfo tables. It activates upon the opening of infected tables and proceeds to infect the MapInfo environment and every table subsequently opening in MapInfo.
The virus has a payload routine that is triggered according to specific system dates; the payload corrupts table files.
What is MapInfo
MapInfo is a Geo-Information System, one of the world's leading software solutions for mapping and geographic analysis. It is developed by the MapInfo Corporation. MapInfo uses the MapBasic programming language to create custom applications for use with MapInfo Professional or special MapInfo "runtimes". It is very similar in syntax to Microsoft Visual Basic but has additional 'statements' for tables and map manipulations.
Virus The virus is written in the MapBasic language and is compiled into a binary application that executes with MapInfo. When the infected table is opened the virus gains control and infects the MapInfo environment. To do this the virus copies itself into the MapInfo program directory (the directory where MapInfo is installed) under the name 0gPiSs1.dll. The 'startup.wor' file has its own 'startup workspace'. The virus places into the startup workspace of the startup.wor file the commands that launch the virus code. The startup workspace is automatically executed prior to the launching of any other workspace, and thus the virus gains control each time MapInfo is started.
When active, the virus silently collects the filenames of open tables to be used at a later time.
When MapInfo is closed the virus checks the system time. On Monday it runs its first payload routine that catalogs (numbers) the table filenames collected during the current session. With the probability of 1% the virus tries to delete the table files with the following extensions:
map, tif, pcx, jpg
The second payload routine triggers on Friday the 13th and does the same as the first payload routine but deletes table files with a 14% probability. In addition it overwrites the mapinfow.prj file with the following text written in Russian (encoding - Cyrillic KOI-8R):
"--- ëÏÏÒÄÉÎÁÔÙ ---"
"äÏÌÇÏÔÁ / ûÉÒÏÔÁ", 3, 62, 8, -74, 40.5, 40.6666666667, 41.0333333333, 2000000, 100000
If the payload routines did not trigger, the virus infects all the collected tables. To do this the virus overwrites the .mif table file with virus code and inserts the command to run this file upon table opening.
Disinfection
Kaspersky Anti-Virus removes the virus code from files, but cannot restore files deleted by virus payloads. You have to restore missing .map, .tif, .pcx and .jpg files from backup. Also you may need to restore the mapinfow.prj file in the MapInfo program directory from backup or from the Tools subfolder.

Home