Virus Database

Baran.3294

Description Baran.3294

These are memory resident parasitic polymorphic viruses. They hook INT 21h and write themselves to the end of COM and EXE files. "Baran.3294" infects the files that are executed or closed. "Baran.4968" infects the files that are closed (both FCB and Handle calls), executed,
To hook the interrupt vectors these viruses use several tricks. The INT 21h handler in "Baran.3294" virus contains just only instruction - call to INT 1 (CDh 01h). That virus also hooks INT 1, and when INT 21h call is performed, the control is passed to INT 1 handler that contains file infection routines.
"Baran.4968" traces INT 13h, 21h. To hook INT 21h the virus patches INT 21h handler in the DOS area (the original INT 21h handler) with INT 29h call (CDh 29h), then patches INT 29h handler with FAR JMP_Virus instruction. As a result the virus handler takes both INT 21h and INT 29h calls. To separate them the virus checks the address of caller and either executes the original INT 29h, or passes the control to the virus INT 21h handler. If the virus cannot to hook INT 21h, it infects the command interpreter by using COMSPEC= pointer. If MS Windows is active, the virus also infects the program that will be executed when Windows exits to DOS.
"Baran.4968" is the stealth virus. When an infected file is opened (both FCB and Handle calls), loaded as overlay or debugged, the virus disinfect it. This virus also checks the file name and does not infect the files IBMBIO.* and IBMDOS.*.
"Baran.3294" is not a dangerous virus. Depending on the system time it displays the message:
Gwadera to baran !

"Baran.4968" is a very dangerous virus. Depending on its internal counter it corrupts the data that are saved on disk. It contains the text:
Unknown destroyer v1

Check other viruses! Be aware! Use Antiviral Software

Constructor.VBS.SSIWG

Description Constructor.VBS.SSIWG

"VBS.SSIWG" is script-worm construction tool. It was used to create the "SSIWG" virus families.

The constructor is able to create worms, which can replicate using e-mail and IRC channels (using the mIRC or pIRCh programs). The worms created using this constructor can also:
start automatically in Windows
encrypt their code
There are 2 different versions of this constructor.

Constructor.VCL

Description Constructor.VCL

The virus constructor utility VCL.EXE (Virus Creation Laboratory) seems to be the most well-known virus creation tool. This constructor can generate source assembler files of the viruses, OBJ modules and infected master files. VCL contains the standard pop-up menu interface. By using VCL menus, it is possible to choose the virus type, enable or disable self encryption, anti-debugging code, and internal text strings. It also is possible to choose up to 10 effects, which are summoned upon virus execution, etc. VCL-based viruses can use a standard means for infection (they append their code to the files while infecting them), they can overwrite the files or use companion technology.
The main properties of VCL-viruses are:
they are non-memory resident;
they scan the subdirectory three or the current directory of the current drive while infecting files;
they append to COM files, or create new COM files or overwrite COM and EXE files.

Home