Virus Database

Smile_II.1113

Description Smile_II.1113

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus terminates "Delete File Using FCB" DOS calls (INT 21h, AH=13h) and displays the message:
Access denied

Depending on the system date it also hooks INT 1Ch and launches a "running face". The virus also contains the text:
Smile Virus.

Check other viruses! Be aware! Use Antiviral Software

Rch.1217

Description Rch.1217

This is a benign memory resident polymorphic parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed or opened. The virus deletes the anti-virus data files CHKLIST.MS and SMARTCHK.CPS, if they exist. On May 20th the virus inserts the following text into the keyboard buffer (i.e. simulates user input):
"Just a joke,Don't mind!"---Rch

RDA.Fighter

Description RDA.Fighter

These are dangerous memory resident polymorphic parasitic viruses, "RDA.Fighter.7408" is multipartite one. They trace and hook INT 21h, and write themselves to the end of COM and EXE files that are executed, opened or renamed. They also encrypt the randomly selected part of the host files.
While executing an infected file, "RDA.Fighter.7408" infects MBR of the hard drive. On loading from infected disk it hooks INT 8, and when DOS is loaded it hooks INT 21h. That virus uses very polymorphic engine, it allows to generate the sequence of decryption loops (up to 16 ones) - the first decryption loop decrypts the virus body and the code of other loops, and passes the control to the second loop - and so on. So the body of the virus is encrypted several times according to the number of decryption loops.
These viruses use the error correction algorithm to prevent the debugging, and the correction of the virus body. During virus installation procedure if the virus code is traced, the viruses erase the disk sectors.
The viruses contain the text strings:
"RDA.Fighter.5871": RandomDecodingAlgoritm 1.0
"Stealth Fighter PART I" devoted MSU!
"RDA.Fighter.5969": RandomDecodingAlgoritm 1.1
"Stealth Fighter PART I (1.1) for ALL."
"RDA.Fighter.7408": "RandomDecodingAlgoritm 2.0"
"PhantomPolymorphicMultiLayerEngine 1.2"
"Stealth Fighter 2.0 : New Aggression."

"RDA.Fighter.7408" displays the last string.
After installation the viruses restore the code of the host program by using the data ("host data") has been saved on infection. While restoring of the host program they decrypt the part of the host code has been encrypted on infection, restore the header of COM file and pass the control to the host program. The most interesting feature of these viruses is the fact that after decryption of the virus body the host data is still not decrypted because it is encrypted twice on infection. The algorithm of such additional encryption is selected randomly - the virus selects random number of instructions (up to 16 ones) from 16 variants of encryption commands (XOR, SUB, ADD, ROL, ROR, NEG, e.t.c.). There may be 65535 (FFFFh) variants of such encryptor. On infection the virus encrypts the host data by using that method, but does not save corresponding decryption routine to restore the host data.
To decrypt the host data the virus generates the decryption routine by random selecting from the same 16 encryption commands, and tries to decrypt the host data. If the host data is not decrypted (the virus calculates and checks the CRC sum) the virus generates the next decryptor, decrypts the host data, calculates and compares CRC and so on up to the moment when the host data appears in original form. It may take some time ever on fast computers.

Home