PFS.3786
Description PFS.3786
This is a benign memory resident encrypted stealth multipartite virus. It infects the MBR of the hard drive and writes itself to the end of COM and EXE files. When an infected file is executed, the virus infects the MBR, hooks INT 21h and stays memory resident. When the system is booted from the infected disk, the virus stays memory resident, hooks INT 8 (timer), wait for DOS loading, then it releases INT 8 and hooks INT 21h.
The virus INT 21h handler hooks more than 10 DOS functions: FindFirst/Next (including long-names calls), open file, close, execute, rename, read, e.t.c. On opening, executing, renaming and file attribute access the virus infects the files. In case of other functions the virus calls its stealth routines.
Plus to file stealth ability the virus uses several quite complex tricks to hide its presence in the system. First of all the virus uses direct disk access calls to bypass BIOS anti-virus protection. To hide its TSR copy the virus leaves in the system memory just 339 bytes of its code - it copies it to the Interrupt Vectors Table. This code contains INT 21h handler that in case of needs reads the complete virus code from the first track of the hard drive and calls it. As a result the virus does not occupy the conventional system memory and is not visible by memory browsers. Depending on the system environment the virus also copies its code to the XMS memory and in case of need reads it from there, not from the hard drive.
The virus contains the text strings:
PowerFul Stealth v6.1 (c)'98 DK eyegabooom
Check other viruses! Be aware! Use Antiviral Software
FCL.2044
Description FCL.2044
This is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are accessed. The virus does not infect files with names HW*, V3*, etc. according to the string (two bytes per name):
HWV3F-J2T2TKTVTBWCCODEVIFIGIRAFEMTBRWI
On December 25, or if the system date is December 3rd 1997, or depending on some system conditions (if some memory resident anti-virus is installed?) the virus erases the CMOS.
The virus contains the text strings:
[FCL virus ] Nice Meet You See Again
NO WORK LAW
FCruncher.296
Description FCruncher.296
It is a very dangerous memory resident overwriting virus. It hooks INT 21h and overwrites COM and EXE files that are executed or opened. The 255th generation of this virus formats the hard drive sectors. The virus displays the messages:
File Cruncher!!
Bad command or filename
-<([CRUNCH])>-
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Fix Finden
Diaet
Digital Beta Cam
Kfz Versicherungen
Perdido Auto Insurance
|