Virus Database

PMBS

Description PMBS

It's a dangerous memory resident boot virus. On loading from infected disk it copies itself into extended memory, switches the PC into protect mode and run virtual V86 machine. The DOS and applications will be executed under that virtual PC. It hooks all interrupts (from 0 till FFh) and checks the critical situation. On critical situation on reading the floppy it infects it (the MBR of hard drive is infected on loading from infected floppy). On other critical situation it displays one of the messages and hangs the computer up:
Unimplemented Interrupt:
Offending instructions:
General Protection Fault:
Offending instructions:
Offending CS:IP:

This virus contains the internal string "PMBSVIRS" also. PMBS is a stealth virus. It checks the ports input/output (by using protect mode 386 features) and corrects the data which is for output on reading infected MBR.
This virus contains several errors, including the error of principle. The programmer's bug is the infection of the floppy. The virus saves on floppy the part of itself only, not all code. The virus consist of two parts of code - the code which is executed in real mode (on loading and on infection then the virus jumps to V86 mode), and the code of protected mode. The virus doesn't save the code which is executed in protected mode. The second generation of the virus will hang up.
The problem of principle is using of infected i386 as i86 only. The virus can't let switch i386 in protected mode again. So, EMS386, QEMM386, MS-WINDOWS e.t.c. will not work. Moreover, the DOS command MEM will hang up infected PC. It's because this program checks extended memory also, and the virus stops it.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Anak

Description Macro.Word.Anak

This is an encrypted macro virus. It contains four original macros that are copied to five ones while infecting documents and NORMAL.DOT:
Documents NORMAL.DOT
Macro1 anakAE AutoExec
Macro2 AutoOpen anakAO
anakAO
Macro3 anakSA FileSave
anakSA
Macro4 anakSMU anakSMU

The virus infects the global macros area on opening an infected document (AutoOpen) and writes itself to document on saving them (FileSave).
The virus defines new short cut key "Shift-Ctrl-F" and associates it with Tools/Customize menu. To hide its macros (stealth feature) the virus removes the File/Templates, Tools/Macros and Tools/Customize menus.
Starting from 25th of any month, starting from 14:00 the virus creates new template, inserts the text into there:
alli n t r o d u c i n g...
anakSMU
Semarang, March 1997

The virus then registers itself in the system. To do that it creates the ANAKSMU.BAT file, writes the commands to there and executes it:
@ECHO OFF
REM ---------------------------------------------------------
REM anakSMU wont destroy your REGEDIT, Just wanna be there :)
REM email: anakSMU@TheOffice.net"
REM ---------------------------------------------------------
ECHO REGEDIT4 > anakSMU.REG
ECHO [HKEY_CURRENT_USERSoftwareanakSMU] >> anakSMU.REG
ECHO [HKEY_CURRENT_USERSoftwareanakSMUanakSMU@TheOffice.net] >> anakSMU.REG
ECHO [HKEY_CURRENT_USERSoftwareanakSMU18.090 - Semarang] >> anakSMU.REG
START /MIN REGEDIT anakSMU.REG
EXIT

The virus then displays the MessageBox:
anakSMU
Yeah!, I wish I were anakSMU

Macro.Word.Andry

Description Macro.Word.Andry

This encrypted virus contains only one macro AutoOpen and infects the global macro area on opening an infected document and writes itself to other documents when they are being opened.
On March 1st it sets to documents the password "Andry Christian", prints the text to status bar:
* I'M ANDRY CHRISTIAN, IF YOU THOUGHT, YOUR DOCUMENTS
OR TEMPLATES WERE SAFE, YOU WERE WRONG ! *

It then displays the dialog:
HACKERS Labs '96 - Hackware Technology Research
ANDRY [CHRISTIAN] WORD MACRO VIRUS IS HERE !!!
DO YOU SUPPORT MY VIRUS ?
YES NO

In case of "NO" key the virus overwrites the C:AUTOEXEC.BAT file with commands:
@ECHO OFF
CLS
ECHO Please wait . . .
FORMAT C: /U /C /S /AUTOTEST > NUL

and the C:CONFIG.SYS file with commands:
DOS=HIGH,UMB
FILES=40
BUFFERS=40
DEVICE=C:DOSHIMEM.SYS
DEVICE=C:DOSEMM386.EXE RAM

On the same date (March 1st) depending on the system time the virus runs the disk formatting command:
COMMAND /C FORMAT C: /U /C /S /AUTOTEST > NUL

Depending on the system time the virus inserts into current document the text:
Helloall.
Andry Christian
WordMacro Virus
Is Here....!!!

The virus also contains the comments:
'======================================================================'
' Source Code of Andry Christian WordMacro Virus 0.99 - ßeta Release '
'======================================================================'
' Virographer by Andry [Christian] in [Batavia] City, of INDONESIA '
' Viroright (C) 1996-1999 Hackware Technology Research - HACKERS Labs. '
' Multi Platform, Multi Infector, Stealth, OneMacro, Encryption, etc '
' Last Update by 01-Maret-1996 & 01:03 PM - Found Bugs...? Call Me '
'======================================================================'
' HACKERS Labs. -> WE ARE A BIG FAMILY OF THE VIRUS CREATOR's TEAM '
'======================================================================'

Home