Virus Database

PM_Wanderer.3684

Description PM_Wanderer.3684

This is a protected-mode resident parasitic polymorphic virus named after the text string in its code:
WANDERER,(c) P. Demenuk

The virus infects COM and EXE files (except COMMAND.COM) that are executed or opened. While infecting a file the virus writes itself to the beginning of COM files and to the middle of EXE files (between EXE header and EXE module). The original file code/data is saved to the end of the file.
When an infected file is executed, the virus copies itself to extended memory, switches the system to protected mode and hooks INT 1 (tracing) and INT 9 (keyboard) interrupts. As a result the virus cannot be visible by standard DOS anti-virus or memory browsing utilities.
To hook DOS calls Execute and FileOpen the virus uses i386 debug features. It sets one of the i386 debug breakpoint to the address of INT 21h handler. As a result when control is passed to the INT 21h handler, i386 generates INT 1 call and the virus takes control.
The virus looks for some specific code in the DOS memory (some anti-virus?) and patches its code. The virus does not install itself memory resident if there is no EMS memory available. When MS Windows is run the virus turns off i386 debugging and restores it after Windows finished on the first keystroke (INT 9). The virus is not bug-free and in some cases it halted my test computer.

Check other viruses! Be aware! Use Antiviral Software

Later.987

Description Later.987

This is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of COM and to the end of EXE files that are executed or opened. While installing into the memory, before return to the host program this virus disinfects the host file. If an installed DOS have version is lesser that 3.0, the virus displays on Sundays:
TRANSPLANT & NETWARE

Lation.897

Description Lation.897

It is a dangerous nonmemory resident parasitic virus. It searches for .EXE files, then writes itself to the end of the file. The virus also searches for some non-EXE files and patches (corrupts?) them. The virus contains the text string:
fUCKUp(C++), by <mutilation.h> 1997

Home

Viruses from A to Z
0-9 A B Ñ D E F G H I J
K L M N O P Q R S T
U V W X Y Z



Fyra Ess Nord Aktiebolag
BIL-TRIM, LARS JOHNSSON
BILTEMA LULEÅ AB
Johansson, Kjell Allservice Aktiebolag
GolvtjÄnst I LinkÖping Ab

    Copyright © 2005 Virus-Database.com
© 2005 Virus-Database.com