Phoenix Family
Description Phoenix Family
These are very dangerous resident polymorphic parasitic viruses. They write themselves to the middle of COM files that are executed or closed. They write to the end of EXE files the trojan program that in some cases erases all information on installed hard disks.
"Phoenix.Proud,Live" infect COM files only, "Phoenix.Live.a" does not infect COMMAND.COM.
While infecting a COM file the virus reads the data from the middle of the file, saves it to the end of the file, and then overwrites the data in the file middle with its copy and writes Jmp-Virus command to the beginning of the file. While infecting COMMAND.COM the virus writes itself to the the stack area of COMMAND.COM, and the file length does not grow.
Infection of COM file Infection of COMMAND.COM file
+-----------+ +-----------+ +-----------+ +-----------+
¦ File ¦ ¦ File ¦ ¦COMMAND.COM¦ ¦COMMAND.COM¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
+ - - - - - ¦ +-----------¦ + - - - - - ¦ +-----------¦
¦ ¦--+ ¦ Virus ¦ ¦ ¦ ¦ Virus ¦
+ - - - - - ¦ ¦ +-----------¦ + - - - - - ¦ +-----------¦
+-----------+ ¦ ¦- - - - - -¦ +-----------+ +-----------+
+-->¦ ¦
+-----------+
The viruses also hook INT 13h and then, depending on some preconditions, randomly rearrange bytes in information blocks being read from, and written to disks.
The viruses of the family for the first time uses two new methods. First, the viruses intercept DOS calls to the files by using INT 2Ah instead of INT 21h. Second, the viruses (except "Phoenix.Live.a") are polymorphic and do not have any constant mask (signature): the main part of the virus is encrypted, and a decoding program (32 bytes long) is selected from 204 possible variants (one have to bear in mind that these viruses have the following lengths: "Phoenix" - 1704 bytes, "Phoenix.Evil" - 1701 bytes, "Phoenix.Proud" - 1102 bytes).
The viruses contain the text strings:
"Phoenix": PHOENIX
"Phoenix.Evil": The evil that men do lives on and on and onall
"Phoenix.Proud": Proudly made in Sofia
"Phoenix.Live.a,b": Live after Death
Check other viruses! Be aware! Use Antiviral Software
Macro.Excel.Yohimbe
Description Macro.Excel.Yohimbe
This is an Excel macro virus. The only module (macro) in this virus is named "Exec", it contains three subroutines: Auto_Open, DipDing, PayLoad and one function: SheetExists. Auto_Open routine is auto one, it is called by Excel on opening any file. On this call the virus infects PERSONAL.XLS. In case of any error, the virus infects all active books (files). Before returning the Auto_Open macro sets the DipDing subroutine as a timer handler that is called starting from 4:00pm. This subroutine infects all opened books.
The virus writes the string "Yohimbe" to the sheet header. The virus also sets PayLoad subroutine as called starting from 4:45pm. This routine re-sizes active sheet, draws a picture and inserts the text "FUCK YOU BUDDY" into the sheet.
Macro.Excel97 Laroux, Legend, Lord, Robocop, Tjoro
Description Macro.Excel97 Laroux, Legend, Lord, Robocop, Tjoro
These viruses were converted to MS Excel97 from their MS Excel prototypes, and as a result they have the same set of macros, functions, features and effects. See their Excel prototypes.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|