Virus Database

RedArc.327

Description RedArc.327

These are dangerous nonmemory resident encrypted parasitic viruses. They search for COM files in the current directory, then write themselves to the end of the file. The viruses use such complex anti-debugging and anti-detection tricks that this may halt the computer, some of them also may corrupt the files while infecting them.
Depending on the system timer the "RedArc.623,665" viruses manifest themselves by a video effect. The viruses contain the text strings:
"RedArc.390,415,600": RedArc // [TAVC]
"RedArc.623": -=* Red Arc *=-
"RedArc.1000":
DemoFraud by RedArc // [TAVC]
SGWW, DVC, FotD, SOS group, TAVC, CiD

Check other viruses! Be aware! Use Antiviral Software

Fab.1755

Description Fab.1755

It is a dangerous memory resident parasitic virus, packed with LzExe utility. It hooks INT 21h and writes itself to the beginning of EXE files that are executed or opened.
While executing an infected file the virus unpacks itself, gets the name of the host file, reads the packed virus code from that file and keeps it in the memory to infect the files. Then the virus allocates the block of the system memory, creates the Program Segment Prefix there, reads the host file to that block, recovers the necessary fields in there, and passes the control to that block, i.e. to the host program.
To stay memory resident the virus patches the MCB list, marks its memory block as system, traces and hooks INT 21h. While tracing INT 21h the virus calls quite unusual routine. The virus allocates the block of the system memory, gets the segment of DOS code by undocumented DOS function, copies the DOS code to that block and fills (erases) the DOS segment with CCh byte (INT 3 call). Then the virus hooks INT 3 and calls INT 21h. That call goes through all INT 21h handlers up to erased DOS segment and reaches CCh opcode. The system generates INT 3 call, the virus receives the control, gets the address of CCh opcode (i.e. the address of original INT 21h handler) and restores the code of DOS segment. As a result the virus traces INT 21h and gets the address of DOS INT 21h handler without hooking INT 1 and does not set the trace flag.
While infecting a file the virus creates the temporary file with the name $$$$$$$$, writes to there its packed code (that the virus reads and keeps while installing memory resident), then appends the code of the file to that temporary file, then deletes the file and renames temporary file.
If an error occurs while installing memory resident, the virus displays the message and returns to DOS:
Error in all?... file

("...?..." is "EXE" in cyrillic coding). Depending on the system timer, if the system is in video mode, the virus calls the random selected DOS function, that can halt the system.

Fabi

Description Fabi

This is a multi-platform virus infecting Windows32 executable files (PE EXE) and MS Word documents and templates. As every multi-platform virus its code contains several parts (components), each of them does its work in its native environment: as a Win32 application in MS Windows, or as a macro program in MS Word. When any of two virus components starts in its environment, it not only infects objects in this environment, but also spreads virus code to another one: from Windows EXE file to Word documents, and from Word document to Windows EXE files.
The virus does not contain any destruction and does not manifest itself in any way. The infected EXE files contain the text:
(c) Vecna
Parecia inofensiva mas te dominouall

Infecting EXE -> EXE
When an infected EXE file is executed, the EXE virus component takes control. It checks the installed operating system type and if it is Windows NT, the virus return control to the host program and does not perform any other action. The virus runs its infection routine only when it is run in Windows95/98. This routine searches and infects all Win32 executable files in current directory as well as in WINDOWS and WINDOWSSYSTEM directories. While infecting the virus writes its code to the end of last section, increases its size and modifies necessary PE header fields.
Because of a bug the virus corrupts EXE files in case the last section size is more than 64Kb - the virus writes its code to the file middle, and corrupted program stay unusable and do not work anymore.
Infecting Macro -> Macro, Macro -> EXE
In infected documents and templates the virus contains one macro AutoClose. It installs itself into Word global macro area on opening an infected document, and infects other documents they then are closed. To copy its code from one document/template to another one the virus uses macro code editing instructions.
To run infected Windows EXE file the virus uses the standard way. The EXE file binary data are stored in virus macros in text stings - the binary EXE data is converted to ASCII hexadecimal dump. The virus saves these data to disk, creates a temporary DOS BAT helper and by using this helper and DOS DEBUG utility converts hexadecimal dump back to binary EXE format, and executes it. The EXE component of the virus takes control, it runs and infects EXE files on the hard drive as it is described above.
The known version of the virus has a bug here, and cannot to create EXE files from the macro virus component. As a result, Windows EXE files stays not infected.
Infecting EXE -> Macro
The routine that drops the macro component to Word from infected EXE files is activated just after the searching and infecting disk EXE files procedure is complete. This routine is more complex than other ones described above, and needs more temporary files to carry the virus code from EXE to Word. The virus creates three main files here:
FABI.SYS - "dummy" PE EXE file that gets infection by EXE virus component
FABI.SRC - the source virus macro code, plus FABI.SYS binary data
converted to hexadecimal ASCII strings
NORMAL.DOT - Word template with a small macro that completes virus
installation: imports main virus code from FABI.SRC to
NORMAL.DOT

To start spreading from EXE to Word the virus creates a short PE EXE file C:FABI.SYS and infects it. The virus then creates the C:FABI.SYS file and writes its macro program AutoClose source code to there. Then it appends to this file the C:FABI.SYS file data converted to hexadecimal ASCII lines. To complete this step the virus creates a specially prepared NORMAL.DOT file. The virus looks for a good place to drop this file in directories:
C:ARQUIV~1/MICROS~?/MODELOS
C:ARCHIV~1/MICROS~?/MODELOS
C:PROGRA~1/MICROS~?/TEMPLA~1

where '?' is counted from 1 till 9. The NORMAL.DOT file that is created in first directory found contains a short macro AutoExec that is activated when MS Word starts. This macro just imports the virus macro source code from the C:FABI.SRC file, and completes virus installation procedure: the NORMAL.DOT now is infected by complete virus code.

Home