PHP.Pirus
Description PHP.Pirus
This is the first known virus infecting PHP script programs (Hypertext Preprocessor scripting language, see http://www.php.net for more details). It was discovered in October 2000.
When the virus is activated, it looks for all .PHP and .HTM files in current directory and infects them. The infection is done in quite silly way. The virus does not write its complete code to the file, but just a reference to the virus file: the virus adds one command to the end of the file, and that is "include virus file" command that refers to virus code.
When an affected file is opened, the PHP scripting machine processes that "include" command as well, gets (reads) complete virus code from virus file and activates it.
As a result, the virus copy presents on the computer in just one instance. All infected files just refers to that copy. Because of that infection way the virus cannot spread from a computer to other computers, but is able to operate inside one computer only.
The virus contains the text "pirus.php".
Check other viruses! Be aware! Use Antiviral Software
GW.1201
Description GW.1201
It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or closed. The virus checks file names and does not infect anti-virus programs and files with the names: AIDSTEST, DRWEB, COMMAND, IBM*, AVP.
While infecting the virus uses undocumented System File Tables. The virus also uses other tricks to hide itself in the memory and access system resources: it traces INT 13h to get original INT 13h handler and patches DOS kernel to intercept file accessing calls.
The virus is encrypted in files as well as in the system memory. When needed the virus decrypts routines, executes them and then encrypts.
The virus does not manifest itself in any way. At the beginning of its code it contains a set of instructions that looks like text string:
_GW
Gwar
Description Gwar
It is a very dangerous memory resident encrypted and stealth boot virus. It hooks INT 13h and writes itself to the boot sector of diskettes and MBR sector of hard drive that are accessed. The virus copies its TSR copy to the interrupt table. From January 1st till 7th the virus displays a message and erases sectors on the hard drive, the message looks like follows:
Gwar virus by T-2000
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Pennyboss Calling Card
Seed Germination
Geschenke
Echte Kontakte Mit Niveau
|