Virus Database

Semtex Family

Description Semtex Family

These are memory resident not dangerous viruses. They hook INT 8, 21h and write themselves to the end of .COM files that are opened or executed. Sometimes they fill the screen with random data. They contain the texts:
"Semtex.515,619,1000.a":
S E M T E X by Dusan Toman, CZECHOSLOVAKIA (7)213-040 or (804)212-23

"Semtex.686":
!!! explosive !!! S E M T E X !!! explosive !!!
Written by Dusan Toman, CZECHOSLOVAKIA Pyrotechnician Lilo Hedera
(7)213-040 or (804)212-23

"Semtex.1000.b":
S E M T E X by Dusan Toman, CZECHOSLOVAKIA *** Have a nice day ***

Check other viruses! Be aware! Use Antiviral Software

Pizelun.3599

Description Pizelun.3599

It is not a dangerous memory resident parasitic encrypted virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. On DOS calls GetDir it searches for the files and infects them. On May, 1995 it hooks INT 8, 10h, 15h also and manifests itself in different ways: blinks with Num/Caps/ScrollLock indicators, changes the video palette, lower-cases the strings are displayed, intercepts Alt-Ctrl-Del and halts the system with video and sound noise, displays the message:
PIZELUN attivato, attivatissimo!
Premere un tasto per continuare . . .

It also contains the text string:
Alüra? ALF

PK.4096

Description PK.4096

It is a dangerous memory resident polymorphic and stealth parasitic virus. It writes itself to the end of COM and EXE files. The virus infects files that are copied to A: or B: floppy disks. While installing memory resident it also searches for files on C: drive and infects them. Depending on its random counter it also infects COM files with "Small.66.b" parasitic COM virus.
The virus uses several level of encryption. The first level is polymorphic, the second level uses anti-debugging tricks, the third level is on-the-fly encryption - main part of virus code is encrypted at any time. In case of need the virus decrypts its subroutines, calls them and then encrypts with new key. The virus also uses other anti-debugging tricks, some of them are incorrect. As a result the virus does not work on Pentium PC.
The virus is memory resident, but it does not leave its TSR copy in the system memory - it encrypts and saves its code to the reserved sectors on the hard drive (on the first track), copies 200 bytes of its INT 21h handler to DOS data area (at address 0054:0000), hooks INT 21h and returns control to host program. In case of need INT 21h handler reads complete virus code from hard drive to video memory, then decrypts and calls it. To hook INT 21h the virus patches the DOS kernel.
The virus intercepts several DOS functions: Execute, Read, Write, Seek, Create, Close, FindFirst/Next, Get File Date&Time. All these hooks except Execute and Create/Close are used by virus in its stealth routine. When the ADINF.EXE program is executed, the virus cancels it, then displays random letters followed with the message:
Divide overflow

When COM and EXE files are created on A: or B: drives, the virus stores file handles and infects these files on closing.
The virus contains the text strings:
JESUS CHRIST SUPERSTAR
(C)PK 10/94

Home