Virus Database

RDA.Fighter

Description RDA.Fighter

These are dangerous memory resident polymorphic parasitic viruses, "RDA.Fighter.7408" is multipartite one. They trace and hook INT 21h, and write themselves to the end of COM and EXE files that are executed, opened or renamed. They also encrypt the randomly selected part of the host files.
While executing an infected file, "RDA.Fighter.7408" infects MBR of the hard drive. On loading from infected disk it hooks INT 8, and when DOS is loaded it hooks INT 21h. That virus uses very polymorphic engine, it allows to generate the sequence of decryption loops (up to 16 ones) - the first decryption loop decrypts the virus body and the code of other loops, and passes the control to the second loop - and so on. So the body of the virus is encrypted several times according to the number of decryption loops.
These viruses use the error correction algorithm to prevent the debugging, and the correction of the virus body. During virus installation procedure if the virus code is traced, the viruses erase the disk sectors.
The viruses contain the text strings:
"RDA.Fighter.5871": RandomDecodingAlgoritm 1.0
"Stealth Fighter PART I" devoted MSU!
"RDA.Fighter.5969": RandomDecodingAlgoritm 1.1
"Stealth Fighter PART I (1.1) for ALL."
"RDA.Fighter.7408": "RandomDecodingAlgoritm 2.0"
"PhantomPolymorphicMultiLayerEngine 1.2"
"Stealth Fighter 2.0 : New Aggression."

"RDA.Fighter.7408" displays the last string.
After installation the viruses restore the code of the host program by using the data ("host data") has been saved on infection. While restoring of the host program they decrypt the part of the host code has been encrypted on infection, restore the header of COM file and pass the control to the host program. The most interesting feature of these viruses is the fact that after decryption of the virus body the host data is still not decrypted because it is encrypted twice on infection. The algorithm of such additional encryption is selected randomly - the virus selects random number of instructions (up to 16 ones) from 16 variants of encryption commands (XOR, SUB, ADD, ROL, ROR, NEG, e.t.c.). There may be 65535 (FFFFh) variants of such encryptor. On infection the virus encrypts the host data by using that method, but does not save corresponding decryption routine to restore the host data.
To decrypt the host data the virus generates the decryption routine by random selecting from the same 16 encryption commands, and tries to decrypt the host data. If the host data is not decrypted (the virus calculates and checks the CRC sum) the virus generates the next decryptor, decrypts the host data, calculates and compares CRC and so on up to the moment when the host data appears in original form. It may take some time ever on fast computers.

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Gable

Description Macro.Word.Gable

This is a harmless Word macro virus. It contains two macros: AutoOpen, FileSaveAs. It infects the global macros area on AutoOpen and writes itself to documents on FileSaveAs. It does not manifest itself in any way.

Macro.Word.Gang

Description Macro.Word.Gang

This is an encrypted virus. It contains two macros: Paradise, Gangsterz. The virus does not have any auto-macros and to receive control it assigns SPACE key to macro "Paradise" and "E" key to macro "Gangsterz". As a result MS Word will call these macros on SPACE and "E" key. MS Word will also restore these keys assignments any time when loading an infected document or global macros.
On January 15th the virus calls its trigger routine - it creates the NORMAL.DOT file and insert the text written in Bold FontSize 26 to there:
Big_Daddy_Cool Virus generated by NJ

and then draw some picture in there.
The virus drops the batch virus "BAT.Xop", writes to system profile (WIN.INI file) the strings:
[Intl]
XOP=Installed

and appends to the end of C:AUTOEXEC.BAT file the commands:
@echo off
Xop.bat

Home