Virus Database

Pusher.374

Description Pusher.374

It is a harmless memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus contains the text strings:
[PUSH]

The most interesting feature of this virus is its polymorphic engine. Before writing to the file the original virus code (374 bytes) is converted to the polymorphic sequence of instructions that put this code to the stack segment (as a result each word of virus code is converted to several bytes, and file length grows by about 740 bytes). When complete virus code is put to the stack, the virus jumps to it:
MOV AX,Opcode1
PUSH AX
ADD AX,Data1 ; result is Opcode2
PUSH AX
SUB AX,Data2 ; result is Opcode3
PUSH AX
INC AX ; result is Opcode4
PUSH AX
all
JMP SP

The installation routine, when it takes control, copies the virus code to the system memory and returns to the host program.

Check other viruses! Be aware! Use Antiviral Software

PFS.3786

Description PFS.3786

This is a benign memory resident encrypted stealth multipartite virus. It infects the MBR of the hard drive and writes itself to the end of COM and EXE files. When an infected file is executed, the virus infects the MBR, hooks INT 21h and stays memory resident. When the system is booted from the infected disk, the virus stays memory resident, hooks INT 8 (timer), wait for DOS loading, then it releases INT 8 and hooks INT 21h.
The virus INT 21h handler hooks more than 10 DOS functions: FindFirst/Next (including long-names calls), open file, close, execute, rename, read, e.t.c. On opening, executing, renaming and file attribute access the virus infects the files. In case of other functions the virus calls its stealth routines.
Plus to file stealth ability the virus uses several quite complex tricks to hide its presence in the system. First of all the virus uses direct disk access calls to bypass BIOS anti-virus protection. To hide its TSR copy the virus leaves in the system memory just 339 bytes of its code - it copies it to the Interrupt Vectors Table. This code contains INT 21h handler that in case of needs reads the complete virus code from the first track of the hard drive and calls it. As a result the virus does not occupy the conventional system memory and is not visible by memory browsers. Depending on the system environment the virus also copies its code to the XMS memory and in case of need reads it from there, not from the hard drive.
The virus contains the text strings:
PowerFul Stealth v6.1 (c)'98 DK eyegabooom

PG

Description PG

It's a harmless memory resident boot virus. It hooks INT 13h and writes itself into boot sectors of floppy disks and first boot sector of hard drive. Original sector is stored at the last disk sector. This virus contains internal text string: "PG".

Home