Virus Database

Ply.5175

Description Ply.5175

This is a dangerous, non memory-resident parasitic virus. It searches for all EXE files in the current directory, then writes itself to the end of the file.
The virus is not encrypted, but it appears as polymorphic virus. Its codes in different infected files have very few constant bytes, and as a result, there is no constant scan-string to detect this virus. To do this, the virus uses a rather complex engine that "mixes" the code in the virus body.
The virus contains three blocks: the main code, data, and redirected calls.
+----------+
ƒMain Code ƒ
ƒ ƒ
ƒ----------ƒ
ƒData ƒ
ƒ----------ƒ
ƒRedirectedƒ
ƒCalls ƒ
ƒ ƒ
+----------+

All assembler instructions in the main code are not more than 3 bytes in length, and all instructions occupy three bytes in the virus code. If the length of instruction is less than 3 bytes, free bytes contain NOP instructions. As a result, all instructions in the viruses occupy 3-bytes blocks.
While infecting a file, the virus "move" the instructions to the 3-bytes block, if there is a NOP command, then:
8C C8 MOV AX,CS <--> 90 NOP
90 NOP 8C C8 MOV AX,CS

There are also data that contain 6-byte blocks to copy the instructions to redirected calls and replace them with CALL or JMP commands:
Replaced with CALL Replaced with JMP Original code
------------------ ----------------- -------------
E8 xx xx CALL -+ <--> E9 xx xx JMP -+ <--> 90 NOP
all <-ƒ---+ ... <-ƒ---+ 8C C8 MOV AX,CS
... ƒ ƒ ... ƒ ƒ
... V ƒ ... V ƒ
8C C8 MOV AX,CS ƒ 8C C8 MOV AX,CS ƒ <marked as free
90 NOP ƒ 90 NOP ƒ block<
C3 RET ---+ E9 xx xx JMP back -+

Therefore, any instruction can be shifted in the 3-byte blocks, it can be copied to a randomly selected address in the virus, and then replaced with a CALL or JMP command, and existing CALLs and JMPs redirectors can be replaced with the original code. No byte is encrypted, and there are very few constant bytes to detect the virus.
Such a complex engine is not bugs-free, and the virus often corrupts files while infecting them.
The virus checks the names of the files before infecting them, and do not infect the following files:
AVP AVPLITE AVPVE BAIT EICAR EMM386 F-PROT FV386 FV86 MSAV MVTOOL10 SCAN
TBSCAN TBAV TBCHECK TBCLEAN TBDISK TBDRIVER TBFILE TBGENSIG TBKEY TBLOG
TBMEM TBSETUP TBSCANX TBUTIL VALIDATE VIRSTOP VIRUS VPIC VSAFE

This virus deletes the NCDTREE file, if it exists.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word97.Calendar

Description Macro.Word97.Calendar

This virus contains seven macros: AutoOpen, AutoClose, ToolsMacro, FileSaveAs, FileTemplates, Calendar, and ViewVBCode.
It infects documents that are opened, closed or saved with a new name (AutoOpen, FileClose, FileSaveAs). Upon opening a file, the virus also turns the VirusProtection option off.
Upon entering the Tools/Macro menu, the virus displays the MessageBox:
Microsoft Word
You do not have permission to do this

On the following dates, the virus displays the MessageBoxes:
January 1 "New Year's Day",
January 20 "Martin Luther King Jr. Day",
February 12 "President Lincoln's Birthday and Ash Wednesday",
February 14 "Valentine's Day",
February 17 "Presidents Day",
February 22 "President Washington's Birthday",
March 17 "St. Patrick's Day",
March 23 "Palm Sunday",
March 28 "Good Friday",
March 30 "Easter",
April 22 "Passover",
May 9 "Calendar, coded by DarkChasm [SLAM]",
May 11 "Mother's Day",
May 17 "Armed Forces Day",
May 19 "Victoria Day",
May 26 "Memorial Day Observed",
May 30 "Traditional Memorial Day",
June 15 "Father's Day",
July 1 "Canada Day",
July 4 "Independence Day",
October 2 "Rosh Hashonah",
October 11 "Yom Kippur",
October 12 "Columbus Day",
October 13 "Columbus Day Observed",
October 16 "Happy Birthday DarkChasm",
October 24 "United Nations Day",
October 31 "Halloween",
November 4 "Election Day",
November 11 "Veteran's Day",
November 27 "ThanksGiving Day",
December 21 "Happy Birthday Christy",
December 24 "Christmas Eve and Hanukkah",
December 25 "Christmas",
December 31 "New Year's Eve".

Macro.Word97.Carrier

Description Macro.Word97.Carrier

This virus contains three macros in one class "ThisDocument": Document_Close, Document_New, Document_Open, and two in module "Agent": AutoOpen, FileSaveAs.
The virus replicates on documents opening, closing or creating. The replication routine used Import/Export functions via the C:NORMAL.BAS in case of NORMAL.DOT and C:DOCUMENT.BAS file in case of documents.
The virus has the comment which is used to detect already infected files:
REM WRITTEN BY LORD ARZ

The virus sets the caption for all windows:
Infected by the Carrier virus (a trooper has already landed)

Home