Virus Database

Pest.2728

Description Pest.2728

This is a very dangerous memory resident parasitic polymorphic virus. It traces INT 13h, hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. The virus checks the file names by using the text string:
ASCECLHVSPF-ACPRVINWI

and does not infect files with names that begin with: SCA, CLE, VSH, F-P, CPA, VIR, and WIN. While infecting a file, the virus also checks it for some specific code and pathes it.
Under a debugger, or on the 13th of any month, and depending on the system timer, the virus corrupts the hard drives sectors and reboots the computer. Starting from the 4096th (1000h) infection, the virus overwrites the data saved on the disk with the following text:
PRIEST V.D.G.I. hopes you can recover your data !!!

The virus also contains the text string:
Pest (c) 12/10/93 by (and best wishes from) PRIEST Int., Gbw/Germany

Check other viruses! Be aware! Use Antiviral Software

Macro.Excel.Don

Description Macro.Excel.Don

This is an Excel macro virus. It contains one module DON that contains one function AutoOpen. The infection routine present in the virus code consists of 49 encrypted text strings. In case of need (on infection) the virus decrypts them, saves to the DON.TXT file, then copies this file to the macros area with name "Replicate" and executes it. After executing (i.e. after infecting a file or system) the virus deletes the "Replicate" module.
If an infected file is opened from Excel startup directory (i.e. the system is already infected) it sets its AutoOpen function on sheets deactivating (OnSheetDeactivate function) and infects the Workbooks on changing active sheet. Otherwise the virus creates an infected file with name <number>.DON in Excel startup directory, i.e. infects the system.
The virus can be easily detected by the presence of a <number.DON> file in the XLSTART directory. The virus also creates the DON2.TXT file and writes to there the name of active Workbook.

Macro.Excel.Emperor.a

Description Macro.Excel.Emperor.a

This virus infects Excel sheets. It contains one macro (module) with the name "Emperor[number]" that contains five functions:
Auto_Open, keyplus, check_file, write_virus, run_virus
Upon opening (closing), the infected Excel file executes the Auto_Open (Auto_Close) virus function. This function summons the check_file (CheckFile) function that sets a four-digit password to the virus sheet. The virus then makes visible all hidden windows, looks for the "Emperor" module in all Workbooks and infects uninfected ones. While infecting, the virus copies its macro with the name "Emperor[number of infection]". The virus then closes all windows that were opened during infection.
The virus deletes the menus: Worksheet View - Toolbars, Format - Sheets, Tools - Scenario; Module - Edit/Delete, Tools/Menu Editor, Tools/Protection.
On the 1st and 15th of any month, depending on the random system counter, the virus displays the MessageBox:
The First Emperor Ver 1.00 [02/29/1997]
[the rest of the text is in unknown coding]

Home