Sformat.699
Description Sformat.699
This is a very dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of .COM files that are executed. The virus contains a lot of bugs, so it can halt a computer while installing a memory resident. On Fridays, it formats the hard drive, and contains the text:
Sofia - Slow-Format/M 1992
Check other viruses! Be aware! Use Antiviral Software
Drzip.512
Description Drzip.512
It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself at the begin of COM files that are accessed. The virus also encrypts hole host file. On opening ZIP files the virus reads their headers, looks for ZIP archive signature and overwrites its. As a result ZIP archives become damaged.
The virus contains the text string:
[SMF.DrZip]
DS.3783
Description DS.3783
This is a relatively harmless, memory resident multi-partite stealth virus. It infects COM, EXE, NewEXE files, the MBR of the hard drive and the boot sector of floppy disks. While infecting DOS files, the virus writes itself to the end of the file and modifies the file header. While infecting NewEXE files, the virus also writes itself to the end of the file, but modifies NewEXE header - creates new Segment Table, fixes other fields in NewEXE header and defines a new code segment that contains the virus' code.
While infecting floppy disks, the virus formats an extra track (80th) and writes itself into there. While infecting the MBR, the virus writes itself to the hidden sectors of the first track. Then the virus overwrites the boot sector or the MBR with the loading code (1Ch bytes).
When the system is booting from an infected disk, the loader reads the virus' code from the disk to address 7C00:0000 and passes control to virus installation routine. This routine hooks INT 13h, and returns control to the original bootstrap procedure.
INT 13h handler waits for the DOS loading process, then the virus patches a DOS kernel with CALL FAR VirusHandler calls and hooks INT 21h, 2Ah, an 2Fh. When the first program is executed, the virus allocates a block of UMB or conventional memory and copies itself to there. Then the virus infects executable (DOS COM, EXE and Windows NewEXE) files that are accessed and the boot sector of floppy disks.
When infected COM or EXE files is executed, the virus cuts a block of conventional memory, copies itself to there, hooks INT 13h, 21h, 2Ah, and 2Fh and stays memory resident. When an infected NewEXE file is executed, the virus installs itself memory resident by using DPMI calls.
The virus checks the file names that are accessing a file, and in case of archive, backup and disk checking utilities, disables several branches of its stealth routine. The list of such utilities appears as follows:
PKZIP ARJ RAR LHA TELIX BACKUP MSBACKUP CHKDSK
The virus detects its already loaded TSR copy by a INT 21h call with AX=187Fh and BX=4453h ("DS" string; thus the virus' name), the memory resident copy returns BX=87A1h.
Text added: Oct-23-1996
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|